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Preface 



This volume contains the papers from the Seventh International Workshop on Logic 
Program Synthesis and Transformation, LOPSTR '97, that took place in Leuven, 
Belgium, on July 10-12, 1997, 'hack-to-back' with the Fourteenth International 
Conference on Logic Programming, ICLP '97. Both ICLP and LOPSTR were 
organised by the K.U. Leuven Department of Computer Science. LOPSTR '97 was 
sponsored by Compulog Net and by the Flanders Research Network on Declarative 
Methods in Computer Science. LOPSTR '97 had 39 participants from 13 countries. 

There were two invited talks by Wolfgang Bibel (Darmstadt) on 'A multi-level 
approach to program synthesis', and by Henning Christiansen (Roskilde) on 'Implicit 
program synthesis by a reversible metainterpreter'. Extended versions of both talks 
appear in this volume. 

There were 19 technical papers accepted for presentation at LOPSTR '97, out of 33 
submissions. Of these, 15 appear in extended versions in this volume. Their topics 
range over the fields of program synthesis, program transformation, program analysis, 
tabling, metaprogramming, and inductive logic programming. 

My thanks go to the workshop co-chairs and local organisers, Bart Demoen and 
Gerda Janssens, and to their team for efficiently organising the event and for 
preparing the preliminary proceedings. I wish to thank the members of the LOPSTR 
'97 program committee and the referees for their prompt and thorough work. I am 
grateful to the program chairman of LOPSTR'96, John Gallagher, for his helpful 
advice. LOPSTR '97 received sponsorship from Compulog Net and from the Flanders 
Research Network on Declarative Methods in Computer Science which is gratefully 
acknowledged. Furthermore, I would like to thank Maurice Bruynooghe and David 
Pearce for their help. Finally, thanks to Uta Schwertel who assisted in preparing these 
proceedings. 
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Abstract. We present an approach to a coherent program synthesis sys- 
tem which integrates a variety of interactively controlled and automated 
techniques from theorem proving and algorithm design at different lev- 
els of abstraction. Besides providing an overall view we summarize the 
individual research results achieved in the course of this development. 

1 Introduction 

The development of programs from formal specifications is an activity which 
requires logical reasoning on various levels of abstraction. The design of the pro- 
gram’s overall structure involves reasoning about data and program structures. 
Inductive reasoning is necessary for determining a program’s behavior on finite, 
but non-atomic data such as lists, arrays, queues, and sometimes even natural 
numbers. First-order reasoning is required to analyze the order of steps which 
are necessary to achieve a desired result. Propositional reasoning is used to make 
sure that all the formal details are correctly arranged. 

Program synthesis and transformation is therefore strongly related to the 
concept of proofs. This has been particularly emphasized by the development of 
languages and tools for logic programming which use deductive techniques for 
the simulation of mathematical reasoning as their basic execution model. 

In the field of Automated Theorem Proving (ATP) deductive systems have 
been developed for many of the above-mentioned areas. Each of these systems 
is tailored towards a particular style of reasoning but shows weaknesses outside 
its specific area. There is no single automated proof procedure which can handle 
all the reasoning problems occurring during program synthesis equally well and 
because of the very nature of the problem it is not very likely that there will ever 
be one. Instead, it is more meaningful to combine the strengths of the individual 
proof procedures by integrating them into a single reasoning system which can 
perform reasoning at all the above-mentioned levels of abstraction. 

During the last few years the Intellectics Laboratory of Darmstadt Insti- 
tute of Technology has been active in the development of such an integrated, 
application-oriented ATP-system which can serve as an inference engine of a co- 
herent program synthesis system. For this purpose we have developed specialized 
proof procedures which deal with problem formalizations on the propositional, 
(constructive) first-order, inductive, and higher levels. On the other hand we 
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have generated interfaces for each of these procedures which make it possible to 
present the generated proof in a common logical calculus. The resulting multi- 
level synthesis system, called MAPS, can extract individual proof tasks from a 
given programming problem, delegate them to specialized proof procedures, and 
combine the resulting proofs into a solution of the original problem. In addi- 
tion to that it will be able to proceed interactively whenever none of the proof 
procedures can handle the task automatically. Algorithm 

Specification 



Extraction of 
proof tasks 



Selection of 

proof procedure , 
or strategy \ 

and presentation 



Integration of 
solution(s) 




Program 



Fig. 1. Structure of the MAPS program synthesis system 



The conceptual structure of MAPS is illustrated in Fig. H It shows on the left 
hand side automatic proof procedures for different levels of reasoning, viz. propo- 
sitional, first-order, and inductive reasoning as well as high-level algorithm design 
strategies. Each of these procedures will receive proof tasks from a program devel- 
opment system, indicated by the horizontal arrows on top, which were extracted 
from a given synthesis problem. After solving their tasks the proof procedures 
will send their solution to a conversion module. This module will generate a rep- 
resentation of the solution in the common calculus and return it to the program 
development system (horizontal arrows on the bottom level) . The dotted arrows 
indicate that the high-level strategies will ideally create subtasks which can be 
handled by the lower-level procedures immediately. If none of the available proof 
procedures suits the proof task to be solved the program development system 
will have to rely on user interaction (right hand side). 

As common platform for our work we have chosen the NuPRL proof develop- 
ment system since its underlying logical calculus can deal with a rich variety 
of problems from mathematics and programming and allows to formalize even 
high-level strategies in a natural way. Since it is based on the proofs-as-programs 
paradigm to program synthesis it allows to treat algorithm design strategies 
as proof procedures and to integrate a great variety of reasoning techniques on 
all levels of abstraction. Finally it supports interaction with a human expert 
(programmer) whenever the automated strategies turn out to be too weak. 
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All our automated proof procedures were originally developed independently 
from the common platform and we had to provide techniques for integrating 
them into the top-down sequent proof style of NuPRL. 

— Formulas from propositional intuitionistic logic will be decided by translating 
them into classical logic P and applying a non-normal form Davis-Putnam 
procedure m- This procedure will be embedded as trusted refiner which 
creates a sequent proof on demand. 

— Matrix methods for constructive first-order logic use a non-clausal extension 
of the connection method [4l31)j . They have been combined with an algorithm 
for translating matrix proofs into sequent proofs m and integrated into 
NuPRL as a proof tactic m- 

— Inductive proofs will be generated by proof planners involving rippling m 
and rewrite techniques. Sequences of rewrite steps will be transformed into 
applications of cut- and substitution rules while other techniques will deter- 
mine the parameters of the general induction rule |2nE3- 

— High-level synthesis strategies will be integrated by verifying formal theorems 
about schematic program construction HHcni. For each strategy a theorem 
describing the axioms for the correctness of a particular class of algorithms 
will serve as derived inference rule. It will be accompanied by specialized 
tactics for determining and validating values for its parameters |43|. This 
technique heavily relies on verified domain knowledge but is very effec- 
tive. 

The MAPS enterprise may be seen as a milestone in the long tradition of program 
synthesis efforts of our group which started as early as 1974 eventually leading to 
the program system LOPS (see 0 for a detailed exposition of this development) . 
In lack of powerful proof systems at that time the emphasis then was laid on 
high-level strategies guiding the synthesis (or search for a proof) while in MAPS 
it is laid more on the proof obligations resulting in the synthesis task. The present 
paper considerably extends the preliminary outline of the concepts underlying 
MAPS given in (B| and presents the results achieved in the meantime. 

In the following we shall describe our proof methods and their integration 
into the NuPRL program development system. In Section|2|we shall discuss proof 
procedures for intuitionistic propositional and first-order logic while Section El 
describes the integration of rewriting techniques for inductive theorem proving. 
Section 01 deals with higher-level synthesis strategies, particularly with algorithm 
design strategies based on schematic solutions for certain classes of algorithms. 
We conclude with an outlook to future work. 

2 Integrating Theorem Provers for First Order Logic 

In this section we will give a survey on automated proof search procedures we 
have developed for the first-order and propositional fragment of intuitionistic 
logic. Furthermore we shall briefly discuss how to integrate the proofs con- 
structed by these procedures into the NuPRL environment. 



4 



W. Bibel et al. 



2.1 Decision Procedures for Intuitionistic Propositional Logic 

The intuitionistic validity of propositional formulas could in principle be inves- 
tigated by first-order proof procedures. Nevertheless there are good reasons to 
develop methods tailored to the specific properties of propositional logic: 

1. first-order methods usually fail to detect the invalidity of a propositional 
formula 

2. the technical overhead necessary to deal with quantifiers can be skipped if 
the formula under consideration is propositional only 

3. in many cases all that is asked about a propositional formula can essentially 
be answered by “yes” or “no” instead of an actual proof construction 

In classical logic these insights have led to decision procedures like the Davis- 
Putnam procedure which currently is about the most efficient complete proof 
method for propositional classical logic. Unfortunately, attempting to adopt this 
technique into intuitionistic propositional logic leads to serious difficulties: 

— the existing Davis-Putnam procedures are defined for formulas in clausal 
form only whereas there is no clausal form for intuitionistic formulas 

— the essential idea of the Davis-Putnam procedures is a successive application 
of the law of the excluded middle which does not hold in intuitionistic logic 

In this section we present two techniques we have developed in order to overcome 
both difficulties: a translation method from intuitionistic into classical proposi- 
tional logic as well as a non-clausal Davis-Putnam procedure. 



Translating Intuitionistic into Classical Propositional Formulas. A 

natural approach to deal with intuitionistic validity is to formalize the conditions 
for intuitionistic forcing within classical first-order logic. A => B, for instance, 
would be translated into \/v.{wRv A(u) B{v)) where w denotes the current 
possible world. For the sake of completeness axioms encoding the properties of 
the accessibility relation R will be added which then must imply the translated 
formula. This technique is known as the relational translation [ H6II7I3J| . 

A major difficulty of this approach is the potential undecidability of the 
resulting classical formula. On the other hand, any intuitionistic non-theorem 
has a finite countermodel. This means that only finitely many possible worlds 
need to be considered and that one could use finite conjunctions instead of having 
to quantify over all possible worlds. Our aim therefore was to find a sufficiently 
effective mechanism for constructing such finite potential countermodels. To this 
end we have investigated the reasons which lead to infinite countermodels as 
described in the following. 

Essentially a potential countermodel can be extended by a new possible world 
in two cases which both yield important conditions for adding any further pos- 
sible worlds. If these conditions are not considered then infinitely many worlds 
without “new” properties could successively be added to the countermodel: 

The first case occurs when an implicative formula A ^ B is assumed not to be 
forced at a given possible world wq. In this case we have to assume an accessible 
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B 



world w\ where A is forced but B is not according to 
the Kripke-semantics for intuitionistic logic. This coun- 
termodel is shown in the right figure. Note, however, that 
A will remain forced at any world Wi accessible from w\. 

Thus if we encounter the case that A ^ X is assumed not to be forced at such 
a Wi then, in order to obtain a world accessible from Wi where A is forced but 
X is not, we only need to ensure X not to be forced at Wi which is accessible from 
itself by reflexivity. The respective situation is shown to the A,A^X,^ 

right. Hence, once we have added a world to our counter- 
model refuting some B it is not necessary anymore to 
add another world accessible from there in order to refute A^ X for some X . 




Likewise, the second case occurs when refuting a negated formula ^A at a 
given world wq. In this case we need to provide another accessible world w\ where 
A is forced. This situation is again shown in the right figure. A 

Once we have done so, however, there is no need to add any 
other accessible world from there on. To see why, we need the ((Fo)) 

notion of F -maximality of a given world for a given proposi- 
tional formula F. We consider a given possible world T’-maximal iff no accessible 
world forces some subformula of F which is yet unforced at the given world. One 
can easily show that for any world w and any propositional formula F there 
always is an accessible T’-maximal world md^xp{w) (cf. [II 7jL Once we have (po- 
tentially) added wi to our countermodel as shown above we know that there 
must also be an i^-maximal maxF(i(;i) accessible from wi, where F is the input 
formula of our translation. But then A is also forced at maxF(u'i) and we can 
well add maxir(r(;i) to our countermodel instead of wi. The main advantage of 
doing so is that whenever we would have to add a new world to our countermodel 
accessible from maxir(r(;i) in order to force some subformula F' of F we know 
that F' must already be forced at maxir(z(;i). Thus instead of actually adding 
this accessible world we can simply add its properties to maxir(z(;i). 



Obeying both restrictions for adding new worlds during the inductive con- 
struction of a potential countermodel for a propositional formula F will always 
lead to a finite set of possible worlds within this countermodel since F has only 
finitely many subformulas. To encode a potential intuitionistic countermodel for 
a given input formula F we first associate a unique function symbol with 
each positive occurrence of an implicative or negated subformula in F. Then we 
construct a set W of terms by applying a proper choice of concatenations of the 
Wi to the root possible world wq. The order of the within these concatena- 
tions essentially reflects the possible refutation orderings between the associated 
subformulas. No function symbol will occur more than once within a single con- 
catenation and function symbols associated with negated subformulas will only 
occur as the outermost symbol of a concatenation. 



Given a term t € W, which now denotes a particular possible world within 
a potential countermodel, the finite set Rpit) of accessible worlds will then be 
the set of those terms t' G W which contain f as a subterm. We can now essen- 
tially apply the usual relational translation approach to F . However, instead 
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of positive occurrences of universal quantifications over accessible worlds we use 
an appropriate such term as a representative for an arbitrary accessible world. 
Negatively occuring quantifications are replaced by finite conjunctions over all 
such terms denoting an accessible world. For any further details cf. [D]. 

To sum up we have achieved a morphism from intuitionistic to classical logic 
that maps propositional input formulas to propositional output formulas (note 
that no quantifiers or uninstantiated terms occur in the output formula). 



A Non-clausal Davis-Putnam Proof Procedure. The Davis-Putnam pro- 
cedure iii|12i is one of the most successful proof procedures for classical propo- 
sitional logic. Its essential idea is to apply the following splitting rule to prove 
a formula F: assign the truth values true and false to a selected propositional 
variable X occurring in F and simplify the resulting formulas, yielding Fi and 
p2- This rule is applied recursively to the formulas Fi and F2 until the truth 
values true or false are reached. The investigated formula F is valid if all leaves 
of the resulting proof tree are marked with true, otherwise F is not valid. 

Unfortunately the original formulation of the Davis-Putnam procedure and 
all existing implementations require the formula F in clausal form, i.e. in dis- 
junctive normal form. The usual translation of a given formula into this form is 
based on the application of distributivity laws. In the worst case this will lead to 
an exponential increase of the resulting formula. The application of the so-called 
definitional translation 123 yields (at most) a quadratic increase of the resulting 
formula’s size at the expense of introducing new propositional variables. 

The translation of intuitionistic into classical propositional formulas described 
above leads to formulas which are strongly in non-normal form. Experimental 
results have shown that a translation to clausal form often yields formulas which 
are too large to obtain a proof, in particular if applying the standard translation 
techniques. To avoid any translation steps to clausal form we have developed 
a non-clausal proof procedure m- It is a generalization of the original clausal 
Davis-Putnam procedure and operates directly on arbitrary propositional for- 
mulas. To this end we represent formulas by nested matrices. A matrix is a very 
compact representation of a formula and the corresponding search space (see 
also section IZ 2 I) . In the clausal Davis-Putnam procedure we regard a matrix as 
a set of clauses where each clause is a set of literals. In our non-clausal approach 
a clause is a set of matrices and a matrix is either a literal or a set of clauses. 

In the original Davis-Putnam procedure the above-mentioned splitting rule 
consists of a clause elimination step and a literal deletion step. Due to the more 
generalized treatment of arbitrary formulas the non-clausal splitting rule uses 
a matrix elimination step instead of the literal deletion step. In contrast to 
the latter it will delete a whole matrix, not only a single literal. Furthermore 
in the non-clausal approach an additional splitting rule, called beta splitting 
rule, is applicable. Our experimental results have shown three advantages of 
our non-clausal proof procedure: no translation to any clausal form is required, 
the application of a more general matrix elimination step is possible and an 
additional beta splitting rule is applicable which can shorten proofs considerably. 
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In practice, our translation from intuitionistic into classical logic combined 
with the Davis-Putnam procedure described above has turned out to be a very 
promising approach to deal with propositional intuitionistic logic. Already our 
prototypic implementations of both approaches in Prolog were able to decide the 
intuitionistic validity of a variety of propositional formulas with a performance 
competitive to any intuitionistic decision mechanism known to us. 

2.2 Proof Construction in Intuitionistic First-Order Logic 

The connection method is a well-known proof procedure for classical first-order 
logic and has successfully been realized in theorem provers like Setheo or 
KoMeT [Z|. It is based on a matrix characterization of logical validity: A formula 
F is (classically) valid iff the matrix of F is (classically) com,nlem,entaTv l[4.riy 

In propositional classical logic the matrix of a formula F is complementary if 
there is a spanning set C of connections for F. A connection is a pair of atomic 
formulas with the same predicate symbol but different polarities 0 A connection 
corresponds to an axiom in the sequent calculus. A set of connections C spans 
a formula F if every path through F contains at least one connection from C. 
With regard to a sequent calculus this means that all branches are closed by an 
axiom. A path through F contains the atoms on a horizontal path through the 
matrix representation of F. A matrix of a formula F is a compact representation 
of F and the corresponding search space. This characterization also applies to 
classical first-order logic if each connection in C is complementary, i.e. the terms 
of each connection in C can be made identical by some first-order substitution 
<JQ in which (quantifier-)variables are replaced by terms. 

Certain rules in the intuitionistic sequent calculus Cff differ from the classi- 
cal LK. . The arising non-permut abilities between these rules need a special 
treatment. In the matrix characterization for intuitionistic logic B3 this is done 
by an additional intuitionistic substitution aj. This substitution has to make 
the prefixes of each connection identical and therewith complementary. A pre- 
fix of an atom is a string consisting of variables and constants which essentially 
describes the position of it in the tree representation of the formula to be proved. 

Example 1. Consider F\ = (Pa => ~^^3xPx). The prefixes of the atomic formu- 
las Pa and Px are oqAi and 0902^304, respectively, where capital letters refer 
to variables and small letters indicate constants. The set {Pa,Px} is a connec- 
tion. It is complementary under the first-order substitution aq = {a:\a} and 
the intuitionistic substitution uj = {Ai\a2A3a4}. Since the set C = {{Pa, Px}} 
spans Pi, the formula Pi is intuitionistically valid. 

Example 2. Let P2 = (~'^P ^ P). The prefixes of the two atoms 09^102^3 and 
0904 are not unifiable. Therefore the formula P2 is not intuitionistically valid. 

According to the above matrix characterization the validity of a formula 
P can be proved by showing that all paths through the matrix representation 

^ The polarity of an atomic formula is either 0 or 1 and indicates whether it would 
occur negated (polarity 1) in the negational normal form or not (polarity 0). 
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of F contain a complementary connection. Therefore for an automated proof 
search procedure based on a matrix characterization we have to (1) search for a 
spanning set of connections and (2) test the connections for complementarity. 

Developing a proof procedure for intuitionistic first-order logic based on 
Wallen’s matrix characterization means extending Bibel’s connection method 
accordingly. It consists of an algorithm which checks the complementarity of all 
paths and uses an additional string-unification procedure to unify the prefixes. 

Searching for a Spanning Set of Connections. Proof search is done by a 
general path checking algorithm which is driven by connections instead of logi- 
cal connectives Once a complementary connection has been identified all 

paths containing this connection are deleted. This is similar to Bibel’s connec- 
tion method for classical logic but without necessity for transforming the given 
formula to normal form. Dealing with arbitrary formulas is necessary since there 
is no clausal form in intuitionistic logic. The advantage of such a method is that 
the emphasis on connections drastically reduces the search space compared to 
calculi which are connective-driven such as the sequent calculus or tableau cal- 
culi. Furthermore it avoids the notational redundancy contained in these calculi. 

Testing the Connections for Complementarity. In our path checking 
procedure we have to ensure that after adding a connection there are still first- 
order and intuitionistic substitutions which make all connections complemen- 
tary. While the first-order substitution erg can be computed by well-known 
term-unification algorithms we had to develop a specialized prefix-nnidcaiion 
procedure for computing aj. This is done by a specialized algorithm for string- 
unification P. String-unification in general is quite complicated but unifying 
prefixes is much easier since there are certain restrictions on prefixes: prefixes 
are strings without duplicates and in two prefixes (corresponding to atoms of 
the same formula) equal characters can only occur within a common substring 
at the beginning of the two prefixes. This enabled us to develop a much simpler 
algorithm computing a minimal set of most general unifiers. 

Our general proof procedure also allows a uniform treatment of other non- 
classical logics like various modal logics m or linear logic P. We only have to 
change the notion of complementarity (i.e. the prefix unification) while leaving 
the path checking algorithm unchanged. 

Path checking can also be performed by using a semantic tableau PI- The 
prover ileariTAP is based on free-variable semantic tableaux extended by the 
above-mentioned prefix unification. It is a very compact Prolog implementation 
(about 4 kilobytes) and due to the modular treatment of the different connectives 
it can easily be adapted to other non-classical logics. 

2.3 Embedding Matrix Methods into Program Development 

As long as only the matter of truth is involved, NuPRL allows to use the above 
techniques as trusted external refiners. However, whenever a piece of code shall 
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be extracted from the proof, it is necessary to convert the proofs generated by a 
search procedure back into a constructive sequent proof which, according to the 
proofs- as-program paradigm P], can be turned into a program. 

In [tl6,^2]| we have developed an embedding of connection based proof meth- 
ods into NuPRL based on such conversions. The proof method described in 
constructs a matrix proof closely related to a cut-free sequent proof in LJmc-, the 
multiply-conclusioned sequent calculus on which the matrix characterization for 
J is based [0|. Its integration into NuPRL basically consists of a transforma- 
tion from /IfTmc-proofs into sequent proofs in Gentzen’s LJ the first-order 
fragment of NuPRL ’s calculus. To allow a structure preserving transformation 
the ctti-rule had to be used in a restricted and regular manner. For the sake of 
clarity we have hidden its application within an extended sequent calculus Cff* . 

Converting Matrix Proofs into Sequent Proofs. Improving the efficiency 
of proof search in the above procedures resulted in strategies which do not sup- 
port a parallel construction of matrix proofs in Mff and £f7mc-proofs anymore. 
Proof strategies such as an extension procedure or a tableaux prover |28j (see 
also sectionl^2| make it necessary to transform matrix proofs into sequent proofs 
after the proof search has been finished. Hence, the above mapping CJmc '— *■ 
has to be extended by an additional mapping M.J ^ CJmc- 

This two-step conversion from intuitionistic matrix proofs into £f7*-sequent 
proofs has first been presented in m- The first step M.J ^ CJmc turns out to 
be non-trivial since the compact representation of Adi/-proofs, called reduction 
ordering oc*, does not completely encode the non-permutabilities of sequent rules 
in an £f7mc-proof. In order to complete this representation in the above sense we 
have extracted some conditions, called wait-labels, which are dynamically added 
during the conversion process. These conditions prevent non-invertible CJmc~ 
rules from being applied too early such that no proof relevant sequent formulas 
will be deleted. We explain our approach by an example. 



OC* OCJ OC2 

CKi ^ ^ Tcki ^ Tai^^ 




/tiV’- a4V“ T/3iV^ Tce4V“ T/3iV^ Ta4V“ 




Fig. 2. Reduction ordering cx* of the matrix proof for F. 



Consider the f7-formula F = V V ~^A and its matrix proof 

MJ represented as a reduction ordering cx* (see Fig. 0 left hand side), oc* 
consists of the formula tree of F together with additional ordering constraints 
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(curved arrows) which are extracted from the matrix proof and encode non- 
permut abilities of sequent rules wrt. LJmc- Furthermore, the connections from 
the matrix proof are assigned to the atoms of F in oc*. For unique reference 
to the subformulas of F each node in oc* contains a position x as well as the 
main operator op{x) and polarity pol{x) of the corresponding subformula F^- 
Positions with a ’/3’ name denote subformulas which cause the sequent proof to 
split into two independent subproofs, e.g. (3\ in the example. 

Proof reconstruction is based on a traversal of the reduction ordering cx* by 
visiting the positions of cx*: (i) Select a position x from the open position set Pq 
which is not “blocked” by some arrow in cx*, (ii) construct a unique sequent rule 
from pol{x) and op{x) of the subformula F^ and reduce the formula jn 

the sequent, (iii) update Po with the immediate successor positions succ {x) of x 
in cx*. The traversal process and the resulting sequent proof for F are depicted 
in Fig. 0 After reducing the /3-position j3i the reduction ordering is split into 
two suborderings cx^, cxj and the conversion continues separately on each of the 
suborderings. For this we have developed an operation split {oc* , (3i) [sa which 
first splits the reduction ordering cx*. Secondly non-normal form reductions are 
applied to each of the cx* in order to delete redundancies from cx* which are 
no longer relevant for the corresponding branch of the sequent proof. The result 
of the splitting process is shown in Fig. 0 right hand side, where the positions 
already visited are marked with ’T’. 
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Fig. 3. Sequent proof for F and the corresponding traversal steps of oc*. 



The problem of completing oc* occurs when starting the traversal with 
0:1,04,05, which is not prevented by “blocking” arrows in cx*. But such a se- 
lection ordering leads to a £f7mc-derivation which could not be completed to a 
proof since the reduction of 05 , i.e. applying on deletes the relevant 

formula (position Og). Adding two wait-labels dynamically to Og and 05 
completes cx* and avoids this deadlock during traversal. For a more detailed 
presentation of this approach as well as for an algorithmic realization we refer 
to |T7| . 

Building Efficient Conversion Procedures. The basic problem for proof 
reconstruction in constructive logics lies in the deletion of redundancies after 
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splitting at /3-positions. The reason for this is that the reduction ordering to- 
gether with dynamically assigned wait-labels could be totally blocked from fur- 
ther conversion steps although some of these labels are no longer needed. To 
avoid this kind of deadlocks and to ensure completeness of the reconstruction 
process we have to detect and delete these redundant subrelations from oc*. One 
of the deletion concepts used in the operation split is based on a non-normal 
form purity reduction which is recursively applied to non-connected leaf posi- 
tions in oc*. Consider oc* in the example above. The atom 03 is not connected 
after splitting at /3i . Application of the purity reduction deletes 03 and 05 from 
ocp Consequently, the wait-label could be removed from ag since as does not ex- 
ist any longer. If the purity reduction were not applied, both wait-labels would 
remain in cx* which would then be totally blocked for further reconstruction 
steps. 

In |,'I7i;ibj we have shown that complete redundancy deletion after splitting 
at /3-positions cannot be performed efficiently when only the spanning mating is 
given from the matrix proof. Efficiency means that the selection of proof-relevant 
subrelations from the oc* should avoid any additional search. If only the spanning 
mating is given, backtracking may be required over this selection (i.e. converting 
irrelevant subrelations) in order to retain completeness. 

For this purpose we have developed a concept of redundancy elimination 
from a reduction ordering during proof reconstruction E 1 IS 3 - The concept is 
based on the specification of additional proof knowledge from the search process 
in order to extract reconstruction knowledge for the conversion procedure. More 
precisely, the history of matrix proofs will be integrated into the conversion 
process rather than using only the spanning matings. This makes our procedure 
depend on a particular proof search strategy, i.e. an extension procedure 1ISE2I- 
But a compact encoding of this proof knowledge into the conversion process 
(which can be done in polynomial time in the size of the matrix proof) allows 
us to derive the reconstruction knowledge in terms of a few elegant conditions. 
Finally, the resulting conversion strategy integrates these conditions into the 
split operation which efficiently extends redundancy deletions after /3-splits to 
a maximal level. We are able to show that all redundancies in the resulting 
subrelations oc*, 0 C 2 will be eliminated after splitting oc* at a /3-position. This 
guarantees that no decisions on selecting proof-relevant subrelations have to be 
made and hence, additional search wrt. these decisions will be avoided. 

Our approach for reconstructing £f7mc-proofs from Adf7-proofs has been uni- 
formly extended to various non-classical logics ITTmi for which matrix charac- 
terizations exist. A uniform representation of different logics and proofs within 
logical calculi as well as abstract descriptions for integrating special properties 
of these logics in a uniform way, e.g. the completion of reduction orderings oc*, 
yields a general proof reconstruction method for all logics under consideration. 

Furthermore, a technique for efficient redundancy elimination after splitting 
at /3-positions has been developed for all of these logics |2S|- The result can be 
seen as a general framework for building efficient and complete conversion pro- 
cedures for non-classical logics when the basic proof search method is known. 
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The theoretical concept for extracting reconstruction knowledge form the cor- 
responding proof knowledge is invariant wrt. a special logic and hence, extends 
the uniformity of the underlying conversion theory. 



3 Induction Techniques 

Pure first-order logic theorem proving can only generate programs without loops. 
For deriving recursive programs induction techniques are needed during the proof 
process. In m we have developed an induction prover for “simple” induction 
problems which is based on rippling m- The basic concept for integrating this 
external prover into the NuPRL system is similar to the first-order case: (i) 
separating a subgoal in the actual NuPRL sequent, (ii) searching an induction 
proof for the goal with the external prover, and (iii) converting the induction 
proof into a NuPRL sequent proof. This integration concept has been realized 
with tactics and extends an earlier approach presented in |2S|. 



3.1 Introduction to Rippling 



In order to prove a goal by induction an induction scheme of the form 
A{base) A iyx.A{x) A{step{x))) '^x.A{x) 
has to be applied to the goal which results in the following two subgoals: a 
base case A(base), which for the most part can be proved directly, and a step 
case yx.A(x) ^ A(step{x) which needs term rewriting to derive the conclusion 
A(step{x)) from the induction hypothesis A{x). To perform rewriting in a goal 
oriented way, a special technique called rippling was introduced by Bundy m 
A more refined and formalized version has later been developed by Basin and 
Walsh P from which we take the central ideas for our presentation. 

Rippling uses annotations on subterms to mark the differences between the 
conclusion and the hypothesis. It first identifies additional function symbols in 
the conclusion, called wave fronts, which will be annotated by surrounding boxes. 
Subterms inside a wave front which are identical to the corresponding subterms 
in the hypothesis are called wave holes and will be underlined in the depictions. 
Consider for example the step case for the associativity of ’-I-’ 

{x + y) + z = X + {y + z) ^ (s(a;) -I- y) -I- z = s(a;) -I- (y -|- z), 
for which the annotated conclusion is given by 



( sfe) 



+ y) + z 




+ (y + z). 



Arrows at boxes indicate the direction to which the wave fronts will be moved 
(or rippled) in the term tree. An means that a wave front has to be moved 
towards the root (rippling- out) whereas permits a wave front to be moved 
towards the leaves (rippling-in) . For this purpose annotated rewrite rules called 
wave rules are used, e.g. 




s( U+V) 



U=V 



T 



( 1 ) 

( 2 ) 
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A proof using the rippling-out strategy is successfully finished, if all wave 
fronts have been eliminated by applying wave rules. If rippling-in is used instead 
each universally quantified variable of the hypothesis is marked with a special 
sink symbol All wave fronts have to be rippled towards these sink 

positions, which requires the application of a rule for switching from to ‘J,’ 
(there is no rule for the opposite direction) and of additional wave rules for 
rippling-in. Afterwards a substitution has to be found which matches the sink 
variables in the hypothesis with the corresponding terms in the wave fronts. 
Backtracking may be required in order to find instances for all sink variables. 

The main difference between the two strategies is that rippling-out provides 
a goal-oriented proof search whereas rippling-in does not. For rippling-out each 
step moves a wave front towards the root of the term tree and the search cannot 
branch. In contrast to this, rippling-in guides a wave front only to be rippled 
towards the leaves without giving guarantee that there exists a sink under the 
actual wave front position. Backtracking is required to find a sequence of rules 
which ripples all wave fronts into sink positions. A sink heuristic, defined in 
makes sure that rippling-in always ripples a wave front towards sink positions. 
The restriction on the class of provable problems caused by this heuristic is 
harmless compared with the gain one obtains by the reduced backtracking. 



3.2 Rippling-Distance — A Uniform Rippling Strategy 

Even with the sink heuristic rippling-in often has an untractable search space. 
In order to obtain an efficient induction strategy we have generalized rippling- 
out and rippling-in to a new uniform strategy, called rippling- distance j23j . The 
arrows and were removed from the wave fronts and each wave front is 
assigned to one goal sink. To guarantee termination a distance measure A4T> 
has been introduced which describes the distance between a wave front and its 
assigned goal sink in the term tree. Each application of a wave rule has to reduce 
this measure wrt. the selected wave front. This strategy splits the enormous 
search space into smaller subspaces which can be searched independently. 

Rippling-distance provides a more goal-oriented proof search than rippling-in 
with sink heuristic since it implicitly contains the application of the switching- 
rule. No backtracking over the switching position in the term tree has to be 
done. In the worst case m" assignments from wave fronts to goal sinks have to 
be tested for an annotated term with m wave fronts and n sinks. The number 
of possible assignments seems to be very large, but this heuristic allows us to 
divide the proof search into separate search tasks. Whereas a non-separated 
search has a complexity of about ) steps for finding a rippling proof 

the divided search needs only about steps, where d is the depth of 

the term. Furthermore, the assignment concept gives us control knowledge for 
avoiding assignments which most likely do not contribute to a successful search. 
An extension of dividing the proof search can be reached by separating the wave 
fronts into independent classes such that each class is assigned to a different goal 
sink. Then an independent proof search for each class reduces the complexity 
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to about m\ ■ d steps for m = n, and to (m' steps for m > n, where 
m' = m — (n — 1) (see for details). 

In order to uniformly integrate rippling-out into the rippling-distance strat- 
egy the definition of sinks has been generalized to arbitrary term positions. Then 
rippling-out can be seen as a special case of rippling-in by putting a sink around 
the whole term on which the wave rules will be applied, e.g. 



s(a:) < s(^) • s(x) j 



This approach can be optimized if the outermost relation of the term is equality. 
Then two sink positions are defined at the immediate subterms of e.g. 



l( s(x) +y) + zi = is{x) +{y + z)i 



The distance measure MT> can be applied directly to this rippling-out sim- 
ulation without any changes. For practical use within a rippling prover we have 
combined rippling-distance with dynamically annotated wave rules. This means 
that the annotations of wave rules are determined at runtime from a set of 
rewrite rules which do not have annotations. Since there are no direction marks 
’t’, ’i’ Eit the wave fronts the number of possible annotations is decreased and 
the annotations are easier to compute 

The admissibility of annotated wave rules has to be tested using a well 
founded reduction ordering in order to avoid cyclic sequences of wave rules. 
From the measure MV we have developed a new reduction ordering -<dist which 
can be computed more efficiently than the ordering -<comp, the compound reduc- 
tion ordering for rippling-in presented in [Q. This advantage becomes remarkable 
if multi-wave holes are used where wave fronts may contain more then one wave 
hole. Furthermore, -<dist has been extended with an additional weight-function, 
which allows the use of additional associativity and commutativity wave rules. 



3.3 Integrating the Rippling-Distance Strategy into NuPRL 

In [IjSJ we have described the integration of an external rippling prover into 
the NuPRL system which uses rippling-distance with dynamic rule annotations 
for guiding a proof search. The prover is implemented in NuPRL-ML m and 
called during a NuPRL proof session via a tactic Ripple. This tactic prepares 
the proof goal for the prover by applying an appropriate induction scheme and 
extracting the induction step. After the prover has solved this step case the 
resulting rippling proof will be translated back into a NuPRL sequent. 

An application of NuPRL’s induction scheme for natural numbers IN yields 
as step case a subgoal of the form x—1 i— > x . This means that an additional 
function symbol ’ occurs in the hypothesis which cannot be handled directly by 
the rippling calculus. We have developed a simulation of the step case x a; -1-1 
in NuPRL which is admissible for rippling. Furthermore, NuPRL’s induction 
scheme for list types TList is also supported by our rippling prover. 

Before applying an induction scheme the induction variable is moved in front 
of other universally quantified variables in order to maximize the number of sink 
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Fig. 4. Components and integration of the rippling module 

variables. After the step case is proved the translation back into a sequent proof 
has to be done. In (2S| a translation for rippling-out proofs was developed, which 
can be used for arbitrary sequences of rewrite rules. It is implemented as meta- 
tactic and uses the basic refinement rules cut, substitution and lemma. We have 
extended this approach with the following concepts p.1) - 

1. The (universally quantified) induction hypothesis can be instantiated. 

2. Polymorphic types for integration of rewrite steps can be reconstructed. 

3. Premises in a NuPRL-sequent can be used as rewrite rules. 

The first improvement is necessary for completing rippling-in proofs. The hy- 
pothesis has to be instantiated with sink terms which have been rippled into the 
sink positions of the induction conclusion. To complete a rippling-out simulation 
with optimization for equality ‘=‘ (see Sectionl^l) the generalized sink positions 
have to be unified by using the induction hypothesis as a rewrite rule. 

The second extension determines the type and universe level for a substitu- 
tion rule by analyzing the proof. This type reconstruction is necessary since the 
external rippling prover is untyped. A temporary proof goal will be generated in 
order to compute the type for a successful application of the substitution. Then 
the goal is forced to fail and the extracted type information will be used for the 
original proof. 

The last improvement allows premises of the current proof goal to be used 
as wave rules if they are in NuPRL’s universal formula format So second 
order proofs over universally quantified functions can be established by using 
the recursive definitions of these functions in the premises as wave rules. 

Many additional improvements have been made for adapting the basic trans- 
lation approach to the rippling-distance strategy. Furthermore, NuPRL‘s tactics 
BackThruLemma and BackThruHyp for backward chaining in universal formulas 
are applied to support a uniform translation of the rippling steps wrt. equality-. 
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implication- and hypothesis-axioms. The components of the rippling module and 
its integration into the NuPRL system are summarized in Fig.l^ 

In future work we will adapt NuPRL ’s induction scheme for integers Z to 
an admissible induction scheme for the rippling calculus. This can be realized 
by simply extending the presented adaption for natural numbers IN to Z. Fur- 
thermore, a library of measures Alfb and corresponding reduction orderings -<x 
will be built for realizing special extensions. In the current implementation there 
are two alternative measures, one for fast proofs in large terms and the other 
for more complicated proofs. The latter allows us to use additional associativity 
and commutativity rules for normalizing wave fronts which is necessary for un- 
blocking proof search. In the current state of the system the user has to specify 
the measure which should be used but this can be done automatically as soon 
as syntactic and functional characterizations have been developed. 



4 High-Level Synthesis Strategies 



The theorem proving techniques described in the previous sections operate on a 
rather low level of abstraction and have only little to do with the way in which a 
programmer would reason when developing a program. The application of these 
methods is therefore restricted to programming problems which are conceptually 
simple and can be solved completely automatically. 

Techniques which are to support the synthesis of larger programs, however, 
will depend on a cooperation between programmer and machine. A programmer 
will have to control and guide the derivation process while the system will fill in 
the formal details and ensure the correctness of the generated algorithms. The 
corresponding proof techniques have to operate on a higher level of abstraction 
and must be based on comprehensible formalizations of application domains and 
programming concepts rather than on low-level inferences of the logical calculus. 

Algorithm design strategies based on schematic solutions for certain classes 
of algorithms iOl have proved to be suited best for this purpose since they 
can be formulated almost entirely in programmer’s terminology. It has been 
demonstrated m that algorithm schemata do not only lead to a very efficient 
synthesis process but can also produce competitive algorithms if properly guided. 

Formally verified theorems stating the requirements for the correctness of 
an abstract program scheme are the key for an integration of these strate- 
gies into the general framework. Such theorems can be applied like high-level 
inference rules which decompose the synthesis task into the task of proving in- 
stances of the given axioms. The latter can then be solved by first-order theorem 
provers, simple inductions, applications of additional theorems, or knowledge- 
base queries. The conceptually difficult problem - generating the algorithm and 
proving it correct - has been solved once and for all while proving the formal 
theorem and requires only a single step in the synthesis process. In this section 
we shall illustrate how this methodology is used for integrating a strategy for 
the design of global search algorithms into the uniform proof system. 
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4.1 Formalizing the Design of Global Search Algorithms 

Solving a problem by enumerating candidate solutions is a well-known concept in 
computer science. Global search is a concept that generalizes binary search, back- 
tracking, branch-and-bound, and other methods which explore a search space by 
looking at whole sets of possible solutions at once. 

The basic idea of global search, illustrated in Fig. 0 is to combine enu- 
meration and elimination processes. Usually, global search has to compute the 
complete set of output values for a given input. Global search systematically 
enumerates a search space which must contain the set of all output values (a) 
and tests if certain elements of the search space satisfy the output-condition 
(b). The latter is necessary to guarantee correctness but is too fine-grained to 
achieve efficiency, particularly if the search space is much bigger than the set of 
solutions. Therefore whole regions of the search space are filtered out during the 
enumeration process if it can be determined that they cannot contain output 
values (c). 

In order to synthesize global search algorithms from specifications, we have to 
formalize their general structure as an abstract program scheme and to describe 
techniques for automatically generating appropriate enumeration and filtering 
processes. We begin by fixing the notation for general programming concepts. 

A programming problem is usually characterized by the domain D of the 
desired program, its range i?, a condition I on acceptable input values x, and 
a condition O on the returned output values z. Formally, a specification can be 
described as 4-tuple spec = (D ,R,1 ,0) where D and R are data types, I is 
a predicate on D, and O is a predicate on DxR. A specification and a (pos- 
sibly partial) computable function body : Dy^Set(R) together form a program. 
A program is correct if it computes the complete set of output values for each 
acceptable input (Vx:Z3. /(x) ^ body{x) = {z:i? | 0(x,z)}). A specification is sat- 
isfiable if it can be extended into a correct program. As in HOI we use a formal 
notation for programs which emphasizes that we are interested in computing the 
set of all solutions of a given problem (assuming that there are finitely many): 



FUNCTION f{x:D):Set{R) WHERE /(x) RETURNS {z | 0(x,z)} = body(x) . 
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FUNCTION f{x:D):Set(.R) WHERE J(x) RETURNS {z | 0(x,z)} 

= if ${x,So{x)) then fgs{x, So{x)) else [] 

FUNCTION fgs{x,s : DxS):Set(R) WHERE /(x) a J(x, s) a<^(x, s) 
RETURNS {z I 0(x,z)a sat{z,s)} 

= let immediate-solutions = 

let extracted-candidates = ext{s) in 
filter (Az.O(x, z)) extracted-candidates 
and recursive-solutions = 

let filtered-subspaces = filter (At.^(x, t)) {split{x,s)) in 
flatten (map (At./gs(x, t)) filtered-Subspaces) 
in append immediate-solutions recursive-solutions 

Fig. 6. Structure of Global Search algorithms 



The name / can be used in the body in order to describe recursive algorithms. 
Often we use only the left side to denote specifications in a more readable way. 

All the above concepts, including an M L-like mathematical notation for com- 
putable functions, can be straightforwardly formalized in the logical language of 
NuPRL (see [E2] section 2]) and are the formal foundation for the automated 
derivation of global search algorithms within the integrated synthesis system. 

A careful analysis in [ES] (later refined and formalized in mm) has shown 
that the common structure of global search algorithms can be expressed by a 
pair of abstract programs which is presented in Fig. Q These programs contain 
placeholders D, R, /, and O for a specification and seven additional components 
S, J, sqj sat, split, ext, <P which are specific for a global search algorithm. On input 
X this algorithm starts investigating an initial search space sq(x) and passes it 
through the filter <P which globally checks whether a search region s contains 
solutions. Using the auxiliary function fgs the algorithm then repeatedly extracts 
candidate solutions (ext{s)) for testing and splits a search space s into a set 
split (x,s) of subspaces which are again passed through the filter <P. Subspaces 
which survive the filter contain solutions and are investigated recursively. 

For the sake of efficiency, search spaces are represented by space descriptors 
s e S' instead of sets of values ze R and the fact that a value z belongs to the space 
described by s is denoted by a predicate sat{z, s). The predicate J(x, s) expresses 
that s is a meaningful search space descriptor for the input x. Formally S must 
be a data type. J and <P must be predicates on DxS and sat one on RxS. 
sq'.D-/^S, split:DxS-/^S, and ext:S-/^Set{R) must be computable functions. 

Six requirements, formalized in Fig. 0 must be satisfied to ensure the correct- 
ness of global search algorithms. The initial descriptor so(x) must be meaningful 
(1) and splitting must preserve meaningfulness (2). All solutions must be con- 
tained in the initial search space (3) and be extractable after splitting finitely 
many times (4). Subspaces containing solutions must pass the filter (5) and fil- 
tered splitting, the combined enumeration/elimination process, must eventually 
terminate (6). In (refined in EEni) the following theorem has been proved. 
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Vx: D. Vz: R. Vs: S. 

1. 7(x) ^ J(x, so(x)) 

2. 7(x)AJ(x, s) 'r/t e split (x, s). J(x,t) 

3. 7(x)AO(x, z) ^ sat{z,so{x)) 

4. 7(x) A J(x, s) A 0(x, z) ^ sat{z,s) 3k. 3t e spZ*t^(x, s). z e eat (t) 

5. 7(x)AJ(x, s) => ^(x, s) 3z. sat(z, s) A 0(x, z) 

6. 7(x)AJ(x,s) => 3k. spZit^(x, s) = 0 

where splits (x, s) = {t e spZit(x, s) | ^(x, t)} 

and sp/*4(x, s) = I ^ t) if k > 0 

Fig. 7. Axioms of Global Search 



Theorem 1. If D, R, I, O, S, J , sat, Sq, split, ext, and <I> fulfill the axioms of 
global search then the pair of programs given in Fig. correct and satisfies the 
specification FUNCTION /(x: 77): Set(7?) WHERE 7(x) RETURNS {z|0(x,z)}. 

Thus a global search algorithm can be synthesized for a given specification 
by deriving seven components S, J, sat, sq, split, ext, and <P which satisfy the 
axioms of global search and instantiating the abstract programs accordingly. 



4.2 Knowledge Based Algorithm Construction 

A direct derivation of global search algorithms on the basis of theorem D is ob- 
viously a difficult task. The theorem does not provide information how to find 
the seven additional components and the verification of the six axioms, particu- 
larly of axioms 4 and 6 which require induction, would put a heavy load on the 
proof process - even if the techniques mentioned in sectionsOandElwere already 
integrated into the derivation strategy. Instead, it is much more meaningful to 
base the construction of global search algorithms on general knowledge about 
algorithmic structures. For a given range type R, for instance, there are usually 
only a few general techniques to enumerate search spaces and each global search 
algorithm will use a special case of such a technique. Therefore it makes sense to 
store information about generic enumeration processes in a knowledge base and 
to develop techniques for adapting them to a particular programming problem. 

The investigations in m have shown that standard enumeration structures 
for some range type R can be stored in a knowledge base as objects of the form 
G = {{Dq, R, Igj Og), S, j, So, sat, split, ext) which are proved to satisfy axioms 
1 to 4. Such objects are called GS-theories. A problem reduction mechanism will 
make sure that the four axioms are preserved when the enumeration structure 
is specialized to a given specification which involves the same range. 

Specializing a standard GS-theory G works as follows. Its specification specG 
= {Dg, Rgt Ig,Og) characterizes a general enumeration method /g which ex- 
plores the space Rg as far as possible. Specialization simply means to avoid 
enumerating elements which are not needed and results in a kind of “truncated” 
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enumeration structure for the same type. Formally, specc can be specialized to 
a given specification spec = (D, i?, /, O) if the the following condition is valid: 

R — Rg a Vx:D. /(x) 3xg: Dq. Jg(xg) a Vz: i?. 0 (x, z) Og(xg, z) 

Thus specialization also allows to adapt the input of a problem since the 
original input x is mapped to a value x^; which serves as input for the search 
performed hy fa- A proof of the above condition implicitly contains a substitu- 
tion 9:D—^Dg which maps x to xq. 0 can be extracted from the proof and then 
be used for refining fa into a search method with inputs from D instead of Dq- 
On the output side of the problem specialization restricts fa to the computation 
of values which satisfy the stronger condition O. Technically, this can be done 
by checking O for each computed value. Altogether problem reduction allows us 
to create a global search algorithm / for the specification spec by defining 

/(x) = {zg/g(6»(x)) I 0(x,z)}. 

For the sake of efficiency, the modifications caused by 0 and O will be moved 
directly into the components of the algorithm. By an index 9 as in Jg or splitg 
we indicate that the transformation 9 is applied to all arguments expecting a 
domain value from D, e.g. splitg(x,s) = split(0(x),s). 

Specializing predefined GS-theories allows us to derive six components of a 
global search algorithm which satisfy axioms 1 to 4 with comparably little effort. 
In a similar way, we can avoid having to prove the sixth axiom explicitly. For 
each enumeration structure there are only a few standard methods to ensure 
termination through an elimination process. In II 811 HI it has been shown that 
these methods can be stored in the form of filters <P for a GS-theory G which 
are proved to satisfy axiom 6. Such filters will be called well-founded wrt. G and 
this property will be preserved during specialization as well. Thus specialization 
reduces the proof burden to checking that, after specialization, the selected filter 
is necessary wrt. the GS-theory, i.e. that it satisfies axiom 5. 

The process of adapting the search space to the specific problem can be 
completely formalized and expressed in a single reduction theorem. 

Theorem 2. Let G={{Dg, R, Ig,Og), S, J, sq, sat, split, ext) be a GS-theory. 
Let spec ={D , R, L , O) be a specification such that specG={L>G, R, Ig,Og) can 
be specialized to spec. Let 9 be the substitution extracted from the specializa- 
tion proof. Then Gg = {{D,R,I,0), S, Jg, sgg, sat, splitg,ext) is a GS-theory. 
Furthermore if is a well-founded filter wrt. G then <Fg is well-founded wrt. Gg 

Adapting standard algorithmic knowledge to a given problem moves most of 
the proof burden into the creation of the knowledge base and keeps the synthesis 
process itself comparatively easy. Information retrieved from the knowledge base 
will provide all the basic components and guarantee that axioms 1 to 4 and 6 are 
satisfied. Only the specialization condition and the necessity of the specialized 
filter - conditions whose proofs are much easier than those of axioms 4 and 6 
- need to be checked explicitly. These insights led to the following strategy for 
synthesizing global search algorithms from formal specifications (see Section 
4.4] for an application example). 
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Strategy 3 Given the specification 

FUNCTION /(|a:|:D):Set(i?) WHERE /(|x|) RETURNS {\z\ | 0(|a:|, |z|)} 

1. Select a GS-theory G={{Da, R, Ig, Oq), S, J, sq; sat, split, ext) for R. 

2. Prove that specG={DG, R, Ig,Og) can be specialized to the specification. 
Derive a substitution 0\ : \D^Dg from the proof and specialize G with 9. 

3. Select a well-founded filter for G and specialize it with 9. 

4-. Prove that the specialized filter is necessary for the specialized GS-theory. 

5. Instantiate the program scheme given in Fig. 

It should be noted that in step 4 the specialized filter could be refined by 
heuristically adding further conditions which do not destroy its necessity. In 
some case this can drastically improve the efficiency of the generated algorithm. 



4.3 Integrating the Design Strategy into Deductive Systems 

So far we have described the synthesis of global search algorithms only semi- 
formally in order to illustrate the fundamental ideas. Integrating the strategy 
into a proof based system now requires a more rigorous approach. Each step in a 
derivation must be completely formal such that it can be controlled by the proof 
system. On the other hand, each derivation step should remain on the high level 
of abstraction which we have used so far. In the following we will explain the 
techniques by which these two requirements could be achieved. 

The application of formally verified theorems is one of the most important 
principles which make program synthesis within a formal proof system like 
NuPRL feasible (see P) Section 3] for a detailed exposition) . In such systems all 
derivations must eventually be based on primitive inference rules. Formal the- 
orems, however, can serve as derived inference rules on a much higher level of 
abstraction. Their application corresponds to a single, conceptually large infer- 
ence step which would require thousands of elementary proof steps if performed 
purely on the level of primitive inferences. In order to represent rule schemes, 
these theorems contain universally quantified variables which must be instanti- 
ated by concrete values before the theorem can be applied. Finding appropriate 
values is the only difficult aspect of this technique. 

The kernel of our implementation of the global search strategy, for instance, 
is a single formal theorem which combines theorems Dand El It quantifies over 
variables for GS-theories (gs), filters (F), transformations (9), and specifications 
(spec) which must be instantiated by a proof tactic for synthesizing global search 
algorithms. The instance for spec is obvious. G and F should be provided manu- 
ally since their selection from a restricted set of alternatives is a design decision 
rather than a deductive task. The function 9, however, should be derived fully 
automatically, since it does not introduce any new algorithmic idea but is deter- 
mined by the specialization conditions. The value for 9 is only clear after these 
conditions have been investigated. 

The different nature of these variables had be taken into consideration while 
developing a NuPRL-tactic for deriving global search algorithms. In general, the 
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spec is satisfiable 

BY InstLemma {name of global search theorem) [gs; 
h gs describes global search limited by 4? 
h R(spec) = RCspecif ication(gs) ) 

1. PROGRAM SCHEME 

O SATISFIES {decidability of the output condition of spec) 
6 SATISFIES {the specification for 6) 

f iItered_body (^s specialized to spec using 6; O) 
SATISFIES spec 

END 

h spec is satisfiable 



Fig. 8. Principal structure of a proof generated by the Global Search tactic 



design of proof tactics should correspond to the structure of the proofs they 
generate. As proofs are typically divided into subproofs for certain subgoals, 
the tactic should be organized in the same manner and provide subtactics for 
the different tasks. The handling of variables representing design decisions has 
to be moved to the beginning of the proof, since they pre-structure the rest of 
it. Almost all tactics have to reflect the structure of the terms to which they 
are applied, since the primitive rules only allow a structural analysis or synthe- 
sis of terms. 

This leads to a fixed anatomy on the top-level of a proof, as illustrated 
in Fig. 0 A typical synthesis proof begins by stating that an algorithm for a 
specification spec shall be found. It then instantiates the global search theorem 
by invoking the tactic InstLemma which requires the ‘design parameters’ gs and 

denoting the concrete GS-theory and the Alter, to be provided manually. This 
results in three preconditions for the initial formula (NuPRL proceeds top-down). 
The first says that gs is valid, i.e. fulfills the axioms 1 to 4, and that ^ makes 
the search space well-founded. These assumptions are usually shown by referring 
to lemmas, since gs and are selected from a few alternatives whose properties 
are stored as lemmas in the NuPRL library. The second subgoal states that 
the range types of the specification and the GS-theory are identical. The third 
expresses that the algorithmic scheme introduced by gs and can be adapted to 
spec. Here the specialization to be performed is described in terms of so-called 
program schemes. By this we emphasize that 9 is the missing algorithmic link 
between the schematic search space and the Anal program for spec. 

Program schemes express that a complex problem can directly be reduced to 
simpler problems. The part after the implication symbol in Fig. 0 describes how 
the algorithm for the complex problem is formed by algorithms for the simpler 
ones. The latter may occur as variables which have to be declared before the 
implication symbol. The SATISFIES clause specifies the problem associated with 
the variable to be solved. Thus the Anal program f iItered_body( . . .) can be 
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constructed as soon as the two auxiliary algorithms O and 6 are given^JThe 
specification for 9 as algorithm contains all conditions in which 9 finally occurs, 
i.e. the conditions for specialization and necessity. Necessity is usually viewed 
as property of the filter <1> but, since specialization prunes the search space, we 
have to check whether the combination of and 9 results in a necessary filter. 

The overall effect of the concept of program schemes is that we can formulate 
the final program although two auxiliary algorithms are yet unknown. Applying 
the basic theorem therefore corresponds to a macro reduction step transforming 
a complicated initial specification into one or more simpler subproblems. This 
results in improved comprehensibility of both the proof and the tactic. 

Automatic proof methods are especially valuable for solving the third sub- 
goal. We have already pointed out that 9 can be only derived together with the 
proof showing that 9 satisfies its specification. This means that we need a sepa- 
rate proof search phase, in which we find out how to successfully solve the goal, 
before we can actually construct the proof. The methods discussed in sectionsEl 
and 0have these capabilities, and we will investigate to what extent they can be 
applied to subgoals of the discussed kind. In the KIDS system, term rewriting 
is successfully used to prove these conditions. Term rewriting can again be real- 
ized by theorem application. But in this case the theorems have a much simpler 
structure and instances for the quantified variables can almost always be found 
by first-order matching. 

One should now be able to imagine what had to be done to fully implement 
the global search strategy on a platform like NuPRL. As logical calculi provide 
only primitive concepts, we first had to increase their level of abstraction by 
representing standard data types like lists, finite sets, etc. as well as the corre- 
sponding operations and their laws. This allows us to formulate simple programs 
and to prove their properties. Next, in order to reason about programs as such, 
we had to implement concepts like program, specification and related notions 
which were formalized in P3 chapter 2]. The conditions for specialization and 
filtering reside on a similar level. They are used in the axioms of the GS-theories 
which had to be implemented on the basis of the specific data structure con- 
taining the different components. Furthermore, we need the fundamental global 
search theorem and its proof. Finally, relevant GS-theories together with the 
associated well-foundedness filters had to be represented. In both cases, lem- 
mas have to guarantee that the required properties are fulfilled. Together, these 
definitions and lemmas describe the formal knowledge about global search. 

All the rest is tactic development. The global search strategy, as explained 
above, had to be built from the top-level tactic and many subtactics solving 
specific subtasks. Moreover, tactics had to be written for proving the laws of the 
data types, the global search theorem, the properties of different GS-theories and 
filters. Although these proofs have to be constructed only once, it does not make 
sense to create them without automatic support. We expect that integrating the 



^ When presenting the global search method on paper one easily overlooks the fact 
that the predicate O must be transformed into a computable function. 
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techniques discussed in sections El and especially induction, into our tactics 
will be very helpful for this purpose. 

Once the global search tactic has found a proof, we can extract a correct 
algorithm from it using NuPRL’s standard extraction mechanism. The KIDS 
system has shown that the efficiency of this algorithm can dramatically be im- 
proved by postprocessing steps. It needs to be investigated where to place such 
a step in a system which relies of derivations in a formal logic. 

In our current implementation we have completed only the essential parts of 
the global search strategy in NuPRL. Especially, only the proofs for the relevant 
library theorems have been implemented, because the necessary proof methods 
were not yet integrated. Instead, while formalizing the various concepts, we have 
focused on the question whether type theory, despite the many formal details, is 
suitable for practical program synthesis. As it turned out, the strict semantics 
of type theory led to deeper insights into some of the concepts: it forced us to 
change their formulation since the obvious one often meant something differ- 
ent or was not even well- formed. Our work also led to improvements of some 
standard tactics of NuPRL: in the term rewriting tactic we can often infer type 
information automatically. By this the chances for success have been dramati- 
cally increased; an automatic invocation of such a tactic is now imaginable. This 
allows handling many difficulties resulting from the peculiarities of the calculus. 
We believe that the formal complications can be further limited by integrating 
additional proof methods which will make program synthesis feasible even within 
the strict framework of proof systems. 



5 Conclusion 

We have presented the design of the program synthesis system MAPS which 
integrates a variety of techniques from automated theorem proving and algo- 
rithm design at different levels of abstraction. We have demonstrated how proof 
procedures for (constructive) propositional, first-order logic, and induction as 
well as schema-based algorithm design strategies can be embedded into a single 
framework for automated proof and program development. 

Because of the rigorous formal framework into which all these methods are 
embedded, executing the individual techniques is somewhat less efficient than 
separate implementations. We believe however that the integrated approach is 
the safest way of combining them into an automated reasoning system which can 
deal with many of the problems occurring during a formal program derivation. 

Future work will involve a more efficient implementation of the individual 
techniques and support for a stronger cooperation between the high- and low- 
level methods. We are currently elaborating a method for extracting programs 
directly from matrix and induction proofs. We also intend to deepen our studies 
on induction techniques and to integrate additional algorithm design strategies 
using the same methodology. We will also work on supporting several existing 
functional, logical, and imperative programming languages as a target language 
of our derivations. Recent work on embedding the Objective Caml programming 
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language into NuPRL’s formal language [2D] has shown that the practical use- 
fulness of systems for program synthesis and transformation can be drastically 

increased by such efforts. 
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Abstract. We try to formalize the intuitive reasoning which we nor- 
mally use to get convinced that a query has successful LD-derivations in 
a program. To this purpose we define the class of programs and queries 
without failures which have the property of not having finitely failing 
derivations. Such property is simple to verify, it is preserved through 
leftmost unfolding and it can be useful both in verifying properties of 
logic programs and in program transformation. The class of programs 
without failures is very restricted but in program transformations it is 
sufficient that only some predicates in the program are in the class. 
Keywords and Phrases: finitely failing derivations, program transforma- 
tion, program verification 



1 Introduction 

Logic programming is a declarative paradigm. This pleasant characteristic allows 
one to ignore the computation and simply define which are its desired results. 
But, when queried through a Prolog interpreter, logic definitions are performed 
with backtracking: some fail and some succeed. Finitely failing LH-derivations 
(FDs) are not relevant from the logical point of view, unless the entire LD-tiee 
is finitely failing. Thus FDs are ignored in the formal description of the pro- 
gram which is concerned only with successes and computed answer substitutions 
(c.a.s.) or with the total absence of successes for a given query. Also formal tech- 
niques for verifying program properties focus only on successful computations. 
Nevertheless FDs are relevant from the efficiency point of view; in correctness 
verification absence of successes can be hidden; in Prolog program transforma- 
tions, where the size of the LD-tiee for a query is relevant, the presence of FDs 
can make difficult to check applicability conditions for transformation opera- 
tions, such as unfold, replacements or switching of two atoms. 

On the other hand when we write a logic program, we have some intuitive 
confidence that it will produce the desired computed answer substitutions for 
some sets of queries. In some intuitive way we are able to distinguish failing 
computations from successful ones. 

We try to formalize this intuitive feeling, by giving a sufficient condition which 
ensures that a given program and query are without failures, namely they cannot 
have finitely failing derivations (noFD). Then we discuss the use of this condition 
both in verifying program correctness and in program transformation. 
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Our condition is very restrictive since we want it to be verifiable from the text 
of the program and failures are difficult to be syntactically characterized. Never- 
theless we believe that it can be useful, since in general it is necessary to verify 
the condition only on some parts of the program. 

In Section 2 we set some notation, then in Section 3 the class of programs 
and queries without failures (noFD programs and queries) is introduced and 
exemplified. We prove that a noFD query in a noFD program cannot finitely 
fail. In Section 4 we discuss how to use these concepts for verifying program 
correctness and for program transformation. Conclusions follow in Section 5. In 
the Appendix some useful definitions and proofs are given. 



2 Basic Notions 

Given a substitution ry and a set of variables X, we denote by rj\x fh® substitution 
obtained from t] by restricting its domain to X. Given an expression (term, atom, 
query,. . .) E, we denote the set of variables occurring in it by Var{E). We often 
write r]\E to denote r]\ var{E)- A renaming is a substitution which is a permutation 
of its domain. We write E ^ E' to denote that E and E' are variant expressions, 
that is there exists a renaming p such that E = E' p. When a renaming of E 
maps V ar{E) in “new” variables we call it a new renaming of E and we speak 
of Ep as a new variant of E. 

We consider definite logic programs executed by means of the LD -resolution, 
which consists of the usual S'LD-resolution combined with the leftmost selection 
rule as Prolog interpreters do. Throughout the paper we use queries instead of 
goals. A query is a sequence of atoms or fail, fail stands for the query associated 
to a failure and □ for the empty query. An L£)-derivation ending with □ is a 
successful LD -derivation, one ending with fail is a, failing one (ED). 

We denote sequences by bold characters and we use identifiers to label clauses 
and derivations. Then I : Q R stands for ’’there exists an LZ?-derivation, 

I, of the query Q in P ending in the query R and a is the composition of 
the relevant and idempotent mgu's applied during the derivation” . Similarly 
Q I — □ denotes a successful PP-derivation of Q in P with c.a.s. (T|q. 
Q I — ?p R denotes one derivation step and we say that it is non-trivial if R is 
not fail. The length of an PP-derivation I is denoted by | Z |. 

The rest of the notation is more or less standard and essentially follows iW 

In the paper we make use of the notion of modes and types introduced in 
We consider a combination of modes and types and adopt the following assump- 
tion: every considered relation has a fixed mode and a fixed type associated with 
it. This assumption allows us to talk about types of input positions and of out- 
put positions of an atom. For example, app{-\- : List, -\- : List, — : List) denotes 
a ternary relation app with the first two positions moded as input and typed 
as List and the third position moded as output and typed as List. A similar 
denotation is called a directional type in HH. 
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From [m we take also the notion of well-typed query and program. A complete 
treatment of this topic can be found in [2,4]. In the Appendix we recall only the 
main definition. 



Definition 1. Let P be a well-typed program and B a well-typed query in P. 
The terms of B are denoted by Term(B). 

The input (output) terms of B, denoted by In(B)(Owt(B)), are the terms in 
input (output) positions in B. □ 



3 Programs and Queries Without Failures (noFD) 

In this section we give a sufficient condition for absence of failing derivations 
(FDs). We assume to have directional types information and to deal only with 
well-typed programs and queries. Intuitively in an LZ?-derivation, FDs may hap- 
pen when some term is instantiated in an ’’incorrect” way, namely it forbids uni- 
fication with further input clauses. This intuitively means that for avoiding FDs, 
inputs must be correetly given, while outputs should be correctly instantiated by 
the evaluation. 

We define an interesting class of programs: programs without failures (noFD 
programs). These programs have a clear functionality from input to output and 
they can be non-deterministic. They satisfy the strong property that, in an LD- 
Derivation, for any selected atom correctly typed in input positions and with 
uninstantiated variables in output positions, there exists a unifying clause in P. 



Definition 2. Let P be a well-typed program. 

A clause c: H ^ Ai , . . ., Ai , . . ., A„. in P is without failures (noFD clause) iff 
for i £ [1, ?T-] 

1. ("Output positions in the body are filled in with distinct variables.'^ 

Out{Ai) = V ar{Out{Ai)) and if X\, . . .,Xk are the output terms in Ai, then 
Xj ^ Xh, for j yf h, j, h G [1, k], 

(which do not appear in input terms in the head and leftmost in the body.'^ 
and Out(Ai) n {V ar{In{F[)) U Var{Ai , . . ., Ai_i) U Var{In{Ai))) = 0; 

2. for all substitutions a such that 

Ata is correctly typed in input and Out(Aia) is a new variant ofOut(Ai), 
there exists a variant of a clause AT <— Ci, . . ., Cr. in P, standardized apart 
wrt Aia, and an mgu a such that a = mgu{K, Aia). 

A predicate p in P is without failures (noFD predicate) iff all the clauses in (the 
deductive closure of) its definition in P are noFD ones. 

The program defining p is then a program without failures (noFD program) . □ 

Definition 3. Let Q = Bi, . . ., Bj, . . ., Bm be a well-typed query. 

Q is without failures (noFD query) in a program P iff 
for j G [l,m], 
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1. (^Output positions are filled in with distinct variables 

Out{Bj) = Var{Out{Bj)) and if Xi, . . Xk are the output terms in Bj, then 
Xi ^ X}i, for i ^ h^ i^h ^ [1, /c]^ 

(which do not appear leftmost;^ 

and Out{Bj) n {Var(Bi, . . Bj-i) U Var{In{Bj))) = 0; 

2. for all substitutions a such that 

BjU is correctly typed in input and Out(Bja) is a new variant of Out(Bj), 
there exists a clause K ^ C\, . . .,Cr- in P, standardized apart wrt Bja, and 
an mgu a such that a = mgu{K, Bja). □ 

The condition for being noFD is local, namely each clause can be considered 
separately. Only atoms in the clause bodies and in the queries have to satisfy 
the restrictions, on the head atoms no restriction is required. Hence a well-typed 
program containing only facts is trivially noFD. Note also that the first condition 
is syntactic and then very simple to verify. The second condition is more complex 
since it is semantic and relates the clause to its context, but, if a type definition is 
available, it can be statically verified as shown in the following simple examples. 

Example 1. 1) Let us consider the append program 
app( [] , Ys, Ys) . 

app([X|Xs], Ys, [X|Zs]) <— appCXs, Ys, Zs) . 
with the directional type app{-\- : List, + : List, — : List). 

This program is noFD. In order to verify this, we observe that it is well- typed 
wrt its directional type. 

The first clause is a fact. Then we consider only the second clause. 

The clause has only one atom in the body: Ai = app{Xs,Ys, Zs), where 
Out(Ai) = {Zs}, which is a variable and 

Out{Ai)n(yar{In{H)\JVar(In{Ai))) = {Zs}n({X,Xs,Ts}U{Xs,Ts}) = 

0. 

The first condition of Definition 0 is then satisfied. 

Moreover for any substitution a such that Xsa,Y sa S List and Zsa is a new 
variant of Zs, we have a unifying clause in the program. In fact Y sa unifies with 
a variable in both the clauses. By definition of List, Xsa is either an empty list 
or a non-empty one, the two cases are respectively captured by the first and the 
second clause in the program. 

2) Let us consider now the query Q = app{[l], \2], Zs),app{Zs, [3], Ms). 

It is a noFD query in the previous program app. In fact it is well-typed and it 
satisfies the first condition in Definition|31 Namely Out{Bi) = {Zs}, Out{B 2 ) = 
{Fs} and Out{B 2 ) n {Var{Bi) U V ar{In{B 2 ))) = 0. It also satisfies the second 
condition in Definition 0 For B\a, with a a new renaming of Zs, the second 
clause of append unifies. For B 2 a, with Zsa S List and Ysa new variant of 
Fs, one of the two clauses of append unifies since Zsa is either an empty or a 
non-empty list. 

3) Let us consider now the two queries: app([l], [2], a) and app{[l], [2], [3]). 

They both are well-typed but they do not satisfy the first condition for noFD 
queries. In fact Out{Bi) is not a variable in both of them. 



32 



Annalisa Bossi and Nicoletta Cocco 



4) Let us consider the two queries Qi = app{[l],[2], Zs),app{Zs,[3], Zs) and 
Q 2 = app{ [1] , [2] , Zs) , app{ [2] , [3] , Zs) . 

These queries are well-typed but they do not satisfy the first condition for 
noFD queries too. In this case the problem is that Out{B 2 ) fl (Var{Bi) U 
V ar{In{B2))) ^ 0 . 

5) Let us consider now append with the reverse directional type app{— : List, — : 
List, -I- : List). 

Also in this case the program is noFD. 

Let us consider the query app{X, X, [1, 2, 3]) wrt the same directional type. 

This query is not noFD since Out{Bi) does not contain distinct variables. □ 

noFD programs and queries form a rather restricted class since output terms in 
the query and body atoms must always be uninstantiated variables. But this is 
also a very interesting class since we can prove that a noFD query in a noFD 
program cannot have FDs. 

First we state an important property of programs and queries, namely that LD- 
resolution preserves the property of being noFD. 

Lemma 1. Let P be a noFD program and Q a noFD query in P. Let us consider 
one non-trivial LD-derivation step Q | — ?p QL The query Q' is also noFD. 

The proof can be found in the Appendix. 

Theorem 1. Let P be a noFD program and Q a noFD query in P. Then Q 
cannot have finitely failing derivations. 

Proof. We prove that for any noFD query Q and any natural number n, if Q 
has a finite LD-derivation of length n then it is a successful derivation. 

The proof can be given by induction on n. 
n = 1. Q I — R. 

By contradiction let us assume R = fail. Hence the first atom of Q can unify 
with no clause in P. 

But Q is noFD in P, hence well-typed, and its first atom, Bi, is then correctly 
typed in input positions. By the second property in Definition El we have a 
contradiction for a = e. 

Hence finite derivations of one step can only be successful ones, 
n > 1. Let us distinguish the first step in the derivation: Q | — ?p Q' | — ?p 

R. 

By Lemmadwe know that the first resolvent Q' is still a noFD query. Then, by 
inductive hypothesis applied to Q' \-^p R, we have the thesis. □ 

Note that our conditions for being noFD are only sufficient to guarantee absence 
of FDs. They are clearly not necessary, in fact the query Q = app{[l], [2], Zs), 
app{\l], [2], Zs) is not noFD, since it does not satisfy the first condition in Defi- 
nition 0 but it does not have FDs. 

On the other hand the fact of being noFD clearly does not imply anything on 
termination. Let us consider the query p(a,Y) and the trivial program 
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p(X,Y) <-p(X,Y). 
p(X,b) . 

with directional type p{+ : Const, — : Const). Both the query and the program 
are noFD but the query has an infinite LD-tiee. What we can safely claim is 
that all finite LD-derivations in such a tree are successful. 

The class ofnoFD programs and queries is very restrictive, in fact outputs cannot 
be compound terms. For example the queries Qi = app{[0, 1, 2], [3], [0|Xs]) and 
Q 2 = app{[Q, 1, 2], [3], [X|Xs]), which do not have FDs, are not noFD. Another 
case which is not captured is exemplified by the query app{[X, 1, 2], [3], [XlAs]) 
which is not in the noFD class since Var{In{Bi)) n Var{Out{Bi)) = {W} and 
then the first condition in Definition 0 is not satisfied. But this query clearly 
does not have FDs! 

In order to capture also the previous examples, it would be nice to weaken 
the first syntactic conditions in Definition 0 and 01 Unluckily there seems to 
be no easy way to do it. Let us consider for example the finitely failing query 
app{[\, 1, 2], [3], [a I As]). As soon as we allow for compound terms in output, we 
have to face these cases. The well-typing condition is no more sufficient to ensure 
absence of FDs, we would need to impose semantic conditions such as the ones 
given in p]. Namely we should require that for all substitutions a such that Bia 
is correctly typed in input and Out(Bia) is a new variant of Out{Bi), there exist 
7 such that Bia^ G Mp, where Mp is the least Herbrand model of P. 

Since our goal is to define a static analysis technique for determining absence of 
FDs, we do not want to have ’’semantic” conditions. 

Moreover, and more seriously, test queries cannot be in the noFD class. In fact 
for a test query the last condition in Definitional cannot be satisfied for all type- 
correct inputs since the purpose of a test is just to act as a filter. As a simple 
example let us consider the noFD program: 

test (a, a) . 
test (a,b) . 
test (c , c) . 

with directional type test(+ : Const,— : Const) and the query test{b,Y). 
Clearly such a query cannot satisfy the second condition! 

As another example consider the simple query Q = app{[l],Ys, Zs),Ys 7 ^ [2,3]. 
Clearly the second atom in this query cannot satisfy the second condition. 

For this reason, all generate-and-test programs are automatically excluded from 
the class of noFD programs, as well as all the programs which use tests. 

Example 2. 1) Let us consider the following program 

sumlist ( [] , 0) . 

sumlist ( [X jXs] , SX) <— sumlistCXs, S) , sum(S, X, SX) . 
sum(0, X, X) . 
sum(s (X) , Y, s (Z) ) 



sum(X, Y, Z) . 
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The predicate sumlist{xi, X2) defines the relation between a list of natural num- 
bers, xi, and a natural number, X2, which is the sum of the elements of the list. 
The directional types are sumlist(+ : ListNat, — : Nat) and sum{+ : Nat, + : 
Nat, — : Nat). 

The predicate sumlist is noFD. In order to prove it we observe that it is well- 
typed and then we consider the two recursive clauses in the definition of sumlist 
and sum. 

Let us consider the clause sumlist{[X\Xs], SX) sumlist {Xs,S),sum{S,X, 

SX). 

The first syntactic condition in Definition 0 is trivially satisfied. 

For the second one: let us consider a\ such that sumlist{Xs, 5 ')ai is correctly 
typed in input and with Sai new variant of S. Then Xsa\ € List, namely ei- 
ther it is an empty list or it is non-empty one. In the first case sumlist{Xs, S')ai 
unifies with the first clause in the definition of sumlist, in the second case with 
the second clause. 

Let us consider the clause sum{s{X),Y, s{Z)) <— sum{X, Y, Z). 

The first condition in Definition Q is trivially satisfied. 

For the second one we have to consider 02 such that sum{X, Y, Z)a2 is correctly 
typed in input and with Za2 new variant of Z. Then Xa2,Ya2 G Nat. Y a2 can 
unify with any clause in the definition of .sum, since the second term in both the 
clauses is a variable. Xa2 is either 0 or s{N), with N G Nat. In the first case it 
can unify with the first clause in the definition of sum, in the second case with 
the second clause. 

2 ) Let us consider a few programs taken from pE|. Wrt the specified directional 
types, they are all noFD. 

prefix! [] , Ys) . 

prefix! [X |Xs] , [X|Ys]) prefix!Xs, Ys) . 
with directional type prefix{— : List,+ : List); 
suffix!Xs, Xs) . 

suffix!Xs, [Y|Ys]) «— suffix!Xs, Ys) . 

with directional type suffix{— : List,+ : List); 
length! [] , 0 ) . 

length! [X |Xs] , s!N)) <— length!Xs, N) . 
with directional type length{+ : List, — : Nat); 
reverse! [] , [] ) . 

reverse ! [X |Xs] , Zs) <— reverse !Xs, Ys) , append !Y s, [X], Zs) . 

with directional types reverse{+ : List, — : List) and app{+ : List, + : List, — : 
List); 

preorder !void, []). 

preorder !tree!X, L ,R), Xs) preorder !L, Ls) , 
preorder!R, Rs) , 
append! [X |Ls] , Rs, Xs) . 
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with directional types preorder(+ : Btree, — : List) and app{+ : List, + : 
List, — : List). 



hanoi(s(0) , A, 
hanoi(s(N) , A, 
hanoi(N, C, 
append (Ms 1 , 



B, C, [A to B] ) . 

B, C, Moves) ^ hanoi(N, A, C, B, Msl) , 
B, A, Ms2), 

[A to B |Ms2] , Moves) . 



with directional type preorder{+ : Nat,+ : Pegs,+ : Pegs,+ : Pegs, — : List), 
where Pegs = {a, b, c}. □ 



4 Applications 

4.1 Program Correctness 

Many techniques have been developed for proving properties of logic programs. 
Among the properties we usually want to prove are termination wrt a given 
query partial correctness of the program wrt a given specification 

[HtipKpi.3pi.5pdp^ and program completeness wrt a specification 015,3]. 

A difference with imperative programmming is that in logic programming partial 
correctness of a program wrt a given specification and universal termination of 
a query do not imply that the query has correct computed answers. In fact, as 
pointed out in |Q, partial correctness and termination do not imply that there 
are actually correct results, because finite failures are ignored in the verifica- 
tion. For example we can prove the partial correctness of the app program wrt 
the Pre/Post specification {xl,x2 G List\app{xl,x2,x^){xl,x2,x'H G List}. 
This is exactly the same as proving well-typing of app wrt the directional type 
app{+ : List,+ : List, — : List). It means that if app is invoked with the first 
two terms xl,x2 which are lists and if it successfully terminates, then the c.a.s. 
will be such that also the third term, x3, is a list. We can also prove that the 
query app{[l], [1, 2], [1, 2]) universally terminates in app since such a proof basi- 
cally depends on the groundness of the first list. We can prove that it is partially 
correct wrt an appropriate instance of the same Pre/post specification, namely 
{[1],[1,2] G Lfst}opp([l], [1, 2], [1, 2]){[1], [1, 2], [1, 2] G List}. But nevertheless 
the query has only a finitely failing LD-derivation. This cannot be seen in the 
verification process and it is due to the fact that correctness proofs are inductive 
and they ignore failures. When the Pre-condition is satisfied for an atom in a 
clause body or in a query, if the atom succeeds then the proof method assumes 
that the Post-eondition holds. In order to state that there are correct solutions 
to our query, we need to know also that there are actually successful derivations. 
To this purpose the following Corollary can be used. 

Corollary 1. Let P be a noFD program and Q a noFD query in P . If Q uni- 
versally terminates, then it has at least a successful derivation. □ 

Hence in order to be sure that there are correct c.a.s. we can verify: 
universal termination of the query -|- partial correctness of the program and the 
query -|- the noFD property of both. 
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Clearly proving the noFD property is stronger than what we actually need. In 
fact being noFD and universally terminating implies absence of finite failures, 
while it would be enough to know that there is at least one successful LD- 
derivation. But this is in general more difficult to prove, while the noFD property 
is rather easy to prove statically and the proof can be automatized. 

Example 3. 1) Let us consider the app program with the usual directional type 
app{+ : ListNat,+ : ListNat,— : ListNat) and the query Q = app([l,2], 
[3,5],Zs), app{Zs, [6,8],ys). 

We can prove, with one of the existing techniques, that app{ll, 12, 13) is partially 
correct wrt the Pre/Post specification {Zl, 12 G List}/{13 = 11 ■ 12} and that the 
query universally terminates and it is partially correct wrt the same Pre/Post 
specification. But since we know that both app and Q are noFD, we can state 
also that 13 is actually correctly computed. Moreover we can claim also that the 
computation of the correct result 13 is efficient, namely it contains no failing 
sub- computation. 

2) Let us consider again the program for computing the sum of the elements of 
a list: 

sumlistC [] , 0) . 

sumlist ( [X |Xs] , SX) <— sumlistCXs, S) , sum(S, X, SX) . 
sum(0, X, X) . 

sum(s(X), Y, s(Z)) <— sum(X, Y, Z) . 

with directional types sumlist(-\- : ListNat, — : Nat) and sum{-\- : Nat,-\- : 
Nat, — : Nat). 

Let us consider the well-typed query sumlist{\l,2,3,4,,b,&\,N). We can prove 
that the program sumlist(ls, s) is partially correct wrt the Pre/Post specifica- 
tion: {Is G List}/{s = '^Ci, with G Is}. We can also prove that the query 
is universally terminating and partially correct wrt the Pre/Post specification. 
But since the program and the query are noFD, we can actually state that there 
is a c.a.s. (N = 21). 

As in the previous example we can also state that the computation of N is 
efficient, since it contains no failing sub-computation. □ 



4.2 Program Transformation 

When dealing with Prolog programs the order of atoms in the clauses is rele- 
vant, as a consequence program transformation techniques become much more 
restrictive in order to preserve the semantics. 

In we define a safe transformation sequence, based on new-definition, un- 
folding and folding, which preserves c.a.s. and universal termination of Prolog 
programs. Such safe transformation sequence is similar to the one defined by 
Tamaki and Sato for logic programs [Eg, but it is more restrictive. The order of 
the atoms in the bodies is taken into account and moreover the transformation 
operations have to be applied in the following fixed order: 
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i) extend the program with a new, non-recursive, definition; 

this extension is the only part of the program which is manipulated in the fol- 
lowing three steps (ii, iii, iv); 

ii) apply a decreasing unfold; 

iii) apply unfold or any other non-increasing and complete transformation 
operation; 

iv) apply fold to introduce recursion; 

v) apply fold to the rest of the program. 

Note that the transformation sequence includes a decreasing unfolding step (ii) 
which is necessary in order to prevent folding in step (iv) from introducing loops. 
For characterizing decreasing unfolding in we state the following Lemma 
which requires to verify absence of FDs. 

Lemma 2 Let c : iV <— A, i?, C. be the only clause in P defining the 

predicate symbol of N. Let a be a substitution such that Var(a) H Var(c) C 
Var(N) and Aa has no failing derivation in P. 

Then, unfolding B in c in P is decreasing wrt G = {Aa}. □ 

Clearly unfolding the leftmost atom in the definition is decreasing. But we can 
now ensure the requirement of the Lemma also on a non-trivial Aa by verifying 
that Aa is a noFD query in a noFD program. Hence the noFD property gives 
the possibility of unfolding also atoms which are not leftmost while preserving 
universal termination. 

In 0 we extend the safe transformation sequence by adding the possibility to 
apply a replacement operation in step (iii). Replacement is a very powerful trans- 
formation operation used to replace a sequence of atoms in a clause body with 
another (equivalent) sequence | yfilL9I23ll7illjlf . The switching operation, which 
switches two adiacent atoms in a body, is just a special case of replacement. It 
is often necessary to reorder the atoms in the body of clauses for applying other 
transformations such as folding. In the Appendix we recall Definition 5 from 
It gives an applicability condition for safe replacement such that it is both 
non-increasing and complete. This guarantees that it preserves both c.a.s. and 
universal termination when used in a safe transformation sequence. If the two se- 
quences of atoms involved in the replacement are noFD queries, the verification 
of such applicability condition can be greatly simplified. 

Here is a concrete example of transforming a program by a safe transformation 
sequence which uses two kinds of replacement: associativity of a predicate and 
switch. 

Example 4- Let us consider again sumlist{xi,X2)'- 
sumlist ( [] , 0) . 

sumlist ( [X |Xs] , SX) <— sumlistCXs, S) , sum(S, X, SX) . 
sum(0, X, X) . 
sum(s (X) , Y, s (Z) ) 



sum(X, Y, Z) . 
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with directional types sumlist(+ : ListNat,— : Nat) and sum{+ : Nat,+ : 
Nat, — : Nat). 

We can prove, with one of the known techniques [5,10,24], that both the well- 
typed queries sumlist{x,y) and sum{xl,x2,x2i) universally terminate. Moreover 
we have already verified that, wrt the specified directional types, the program is 
noFD. We apply now the extended safe transformation sequence defined in [7,8] 
in order to linearize sumlist with the accumulation technique. 

i) add a new definition for introducing the accumulator: 

d: sacc(L, Tot, Acc) sumlist(L, SX) , sum(SX, Acc, Tot). 

with the induced directional type sacc(+ : ListNat, — : Nat,-\- : Nat), 
sacc is well-typed and it universally terminates. 

Note that the new clause is noFD. 

In order to optimize sacc we apply the following transformations: 

ii) unfold the first atom sumlist in d (decreasing unfold): 

sacc([], Tot, Acc) <— sum(0, Acc, Tot). 

sacc([X|Xs], Tot, Acc) sumlistCXs, S) , sum(S, X, SX) , 
sum(SX, Acc, Tot). 

iii) unfold the first clause and apply the associative property of sum to the 
second clause, namely replace B = sum{S,X,SX),sum{SX,Acc,Tot) with 
B' = sum{X, Acc,T),sum{S,T,Tot). 

This is a safe replacement wrt its directional type by Definition Q(see the Ap- 
pendix). In fact it is easy to verify that such replacement is syntactically safe 
and it preserves the well- typing. Moreover in the following two Lemmas we prove 
the validity of the other two conditions required by Definition Q 

Lemma 3. B and B' are equivalent in the second clause, c, wrt the program. 
Proof We have to prove that: 

for all substitutions 9 such that V ar{9) n V ar{c) C Var{F[, A), Var{9) n F = 0 
and c9 is well- typed. 



MlPl{B9)\xe = MlPl(B'9)\xe- 

This can be proved by transformation as follows. 

Since 9 in Definition 0 cannot modify {S'A, T}, we can apply to B our safe 
transformation sequence. 

i) We define 

d: pl(S, X, Acc, Tot) 4— sum(S, X, SX) , sum(SX, Acc, Tot). 

with directional type pl(-l- : Nat, : Nat, : Nat, — : Nat), d is well-typed and 
the well-typed instances of d exactly correspond to the instances B0 of Definition 

□ 

ii) We unfold the leftmost atom in d. It is a decreasing unfold. 

1: pl(0, X, Acc, Tot) <— sum(X, Acc, Tot). 

2: pl(s(XO, X, Acc, Tot) sum(X’ ,X,SXO , sum(s(SXO ,Acc,Tot) . 
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iii) We unfold clause 1 and the second atom in clause 2. 

3; pl(0, 0, Acc, Acc) . 

4; pl(0, s(X’), Acc, s(Tot’)) ^sum(X’, Acc, Tot’). 

5: pKs(X’), X, Acc, s(Tot’)) sum(X’ , X, SX’) , 

sum(SX’, Acc, Tot’). 

iv) We apply fold to clause 5, thus obtaining the final program: 

3: pl(0, 0, Acc, Acc). 

4: pl(0, s(X’), Acc, s(Tot’)) «— sum(X’, Acc, Tot’). 

5: pKs(X’), X, Acc, s(Tot’)) ^pl(X’, X, Acc, Tot’). 

We now apply the safe transformation sequence to B'. 

i) We define 

d: p2(S, X, Acc, Tot) <— sum(X, Acc, T) , sum(S, T, Tot). 

with directional type p2(+ : Nat,+ : Nat,+ : Nat, — : Nat), d is well-typed 
and the well-typed instances of d exactly correspond to the instances B'0 of 
Definition 0 

ii) We unfold the second atom in d. 

By Lemma ^ this is a decreasing unfold wrt G = {p2{S , X , Acc,T ot)a\ for all 
a which can be applied in an LD-derivation to d, when used as input clause. In 
fact for all substitutions a such that V ar(a) n V ar(d) C X, Acc, T ot} and da 

well-typed, we have that Ta = T and then sum{X, Acc,T)a cannot fail. This 
can he obtained as a consequence of the fact that sum{X, Acc,T)a is universally 
terminating and noFD. 

1: p2(0, X, Acc, Tot) <— sum(X, Acc, Tot). 

2: p2(s(X’), X, Acc, s(Tot’)) <— sum(X,Acc,T) , sum(X’ ,T,Tot ’ ) . 

iii-iv) We unfold clause 1 and then fold clause 2 thus obtaining the final 
program: 

3: p2(0, 0, Acc, Acc). 

4: p2(0, s(X’), Acc, s(Tot’)) <— sum(X’, Acc, Tot’). 

5: p2(s(X’), X, Acc, s(Tot’)) <-p2(X’, X, Acc, Tot’). 

The two programs obtained by B and B' through a safe transformation sequence 
are identical modulo predicate renaming. In this way we proved that B0 and B'0 
are equivalent wrt our semantics and wrt their common variables for all instances 
0 as required in Definition ^ □ 

We should now verify the last condition in Definition 0 

Lemma 4. B' is non-increasing in c wrt B in P. 

Proof We have to prove that: 

for all substitutions 9 such that Var{0) n Var{c) C Var{H, A), Var(6) nY = 0 
and c9 is well- typed, 
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for any finite LD-derivation I' : B'0 | — R, where either R = □ or R = fail, 

there exists a corresponding finite LD-derivation I : B0 | — R, with X6S' ^ 
X9S, which is not shorter: \ I |>| I' |. 

We should then analyze both successful and failing LD-derivations of B' and 
B. But the original program defining sum is noFD and the tranformation steps 
performed until now did not modify the definition of sum. We can then easily 
prove that the queries B and B' are noFD. Hence by Theorem^we know that B 
and B' have no finitely failing LD -derivations, which allows us to cosider only 
successful LD -derivations o/B and Bb 

Successful derivations of a well-typed query sum{X, Y, Z)6 have length \ X6 \ +1. 
This can be easily proved by induction on\ X6 \ . 

Then successful derivations of B'6> have length 

I xe I +1+ 1 50 1 +1 =1 1 + I 1 +2 

and successful derivations of B0 have length 

I 50 I +1+ I sxe I +1 =1 50 I +1 + (I 50 I + I X0 I) + 1 = 2 I 50 I + I X0 I 

+2. 

Hence the non-increasing property of Definition 0 is satisfied. □ 

Note also that the program resulting from this transformation step is still noFD: 
sacc([], Acc, Acc) . 

sacc([X|Xs], Tot, Acc) <— sumlistCXs, S) , sum(X, Acc, T) , 
sum(S , T, Tot) . 

- switch sumlist{Xs, S) and sum{X, Acc,T). It is a safe replacement wrt its 
directional type by Definitional In fact the replacement is syntactically safe and 
it preserves the well- typing. 

Moreover 0 in Definition 0 cannot modify {5, T}, then we can prove that B0 
and B'0 are universally terminating, noFD queries. This allows us to prove, in 
a rather simple way, both that B,B' are equivalent in the second clause wrt 
the program and that B' is non-increasing in the clause wrt B. In fact the two 
atoms in B0 cannot share variables since they are both ground in the input terms 
and 50 = 5, T0 = T. Hence the two atoms in B0 are independent, universally 
terminating and noFD. Clearly switching them has no effect on the length and 
the c.a.s. of their LD -derivations. 

Note that the resulting program is still noFD: 

sacc([], Acc, Acc). 

sacc([X|Xs], Tot, Acc) <— sum(X, Acc, T) , sumlistCXs, S) , 
sum(S , T, Tot) . 

iv) fold with d in sacc definition: 
sacc([], Acc, Acc). 

sacc([X|Xs], Tot, Acc) <— sum(X, Acc, T) , saccCXs, Tot, T) . 
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The resulting program is still noFD. 

v) fold with d in the original definition of sumlist: 

sumlist ( [] , 0) . 

sumlist ( [X |Xs] , SX) ^ saccCXs, SX, X). 
sacc([], Acc, Acc) . 

sacc([X|Xs], Tot, Acc) <— sum(X, Acc, T) , saccCXs, Tot, T) . 

This is the final program, optimized through the accumulation technique. □ 

This example shows that, if we know that the sequences of atoms we deal with in a 
replacement are noFD, we can greatly simplify the verification of the replacement 
applicahility condition. Furthermore, as exemplified in the equivalence proof, the 
noFD property gives the possibility of unfolding also atoms which are not leftmost 
while preserving universal termination. 

Even if the noFD condition is very restrictive, we generally need to verify it 
only on some predicates, namely the ones to which we want to apply a specific 
transformation operation. 

On the other hand sometimes we could be interested in preserving the noFD 
property through the various transformation operations. Let us briefly consider 
them. 

When we introduce a new definition which refers to noFD predicates, we have 
to impose on it the further requirements given by our Definition |21 so that the 
extended program is also noFD. In our example we define sacc which refers to 
sumlist and .sum, which are both noFD predicates. The new definition d is also 
noFD. 

Leftmost unfold unconditionally preserves the noFD property. This is a conse- 
quence of Lemma Q On the contrary general unfold preserves neither the noFD 
property nor absence of FDs, as shown by the following example. 

Example 5. Let us consider the trivial program: 

1: p(X, Z) ^ q(X, Y), r(Y, Z) . 
q(b, a) . 
r(b, T) . 
r (a, T) . 

with directional types: 

A'(+ : {b},- ■ Any),q{+ : {b},- : {a}),r(-T : {a,b},~ : Any). 

The program is well- typed and noFD. 

By unfolding the second atom in clause 1 we obtain the following program. 

2: p(X, Z) ^ q(X, b) . 

3: p(X, Z) ^ q(X, a) . 
q(b, a) . 
r(b, T) . 
r (a, T) . 
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This program is no more noFD since clause 2 does not satisfy the first syntactic 
condition. 

Moreover clause 2, when used as input clause in an LZ?-derivation, produces a 
finitely failing derivation. □ 

Let us now consider replacement. In general we need to require that also the 
resulting clause is noFD. But for some special cases of replacement it is sufficient 
to require only part of the conditions in Definition!^ as shown in the following 
discussion. 

Fold is a special case of replacement. Let us assume that we fold a noFD clause 
c : <— A,B, C. by using a new definition d which is also noFD and let dO : 

iF 4— B . Then by definition of fold , the replacement of B with iF in c is 
syntactically safe and preserves well-typing. The only property we need to require 
is that the first condition of Definition\M holds for K. In fact it is sufficient that 
Out{K) = Var{Out{K)); 

if Ai, . . ., Xk are the output terms in K, then Xi ^ Xh, for i ^ h, i,h G [I, k]; 
Out(K) n Var{In{K)) = 0; 
in order to be able to prove that 

(c : Lf ^ A, B, C. is noFD) implies {d \ F[ ^ A, K, C. is noFD). 

Note that in our example both d and fold with d clearly satisfy the condition. 

The associativity of a predicate is also a special case of replacement. This replace- 
ment naturally preserves the property of being noFD. In fact let B = 
(p(Al, X2, T), p{T, A3, Z))9 and B' = (p(A2, A3, V), p(Al, V, Z))9, where p is 
an associative predicate, such as sum or app, with moding ) and 9 is 

a well-typed input substitution with Dom(0|B) = Dom(0|B') = {Al, A2, A3}. 
By definition of replacement, when the associativity is applicable it must be 
syntactically safe and preserve well-typing. Hence it is easy to prove that 
(B is a noFD query) iff (B' is a noFD query) 
and then also 

(c : A,B,C. is noFD) iff (c' : iJ ^ A,B',C. is noFD). 

Switch is also a special case of replacement. Let c : ^ C, A, B, D. Switching 

A and B in c is clearly syntactically safe and, in order to be applicable, it has 
to preserve we 11- typing. Hence we need to impose only the further condition 
Out{A) n Var{B) — 0. 

In fact if this is verified, we have that 

(c : B ^ C, A, B, D. is noFD) implies (c' : B ^ C, B, A, D. is noFD). 

Note that when the two atoms A and B do not share variables, as in our exam- 
ple, such condition is already verified and then the noFD property is naturally 
preserved through switching. 

5 Conclusion 

We have defined the class of programs and queries without failures which have 
the property of not having finitely failing derivations. Such property is easy to 
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check, it is preserved through leftmost unfolding and it is useful both for ver- 
ifying program properties and for program transformation. The class of noFD 
programs is very restricted but usually it is sufficient that only some of the predi- 
cates in the program are in the class. One of the most serious restrictions is that 
programs containing tests cannot be in the class. We could extend the noFD 
class by following two directions: one consists in finding new weaker syntactic 
conditions for absence of FDs, the other, on which we are presently working, 
consists in defining the wider class of successful programs which includes also 
programs with tests. noFD queries for successful programs have the property 
of having at least one successful derivation, if they are universally terminating. 
This property is more complex to verify but it is less restrictive and still useful 
both for verifying program properties and for program transformation. 

Finitely failing LD-derivations, even if relevant in practice, are difficult to study 
and characterize. Previous studies have focused on the set of atoms which finitely 
fail. This can be used to characterize properties of negation-as-failures. In pro- 
gram verification and transformation we are actually interested in identifying 
both the queries which have some successful LD-derivations and those which 
have some finitely failing LD-derivations. 

Non-failure analysis is interesting also for parallel execution optimization. In [14] 
a method is given for detecting programs and queries which produce at least one 
solution or do not terminate. The method is based on a different notion of mode 
and type information and deals also with programs containing tests. Our pro- 
posal is clearly more restrictive, but also simpler to verify. 
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6 Appendix 

6.1 Well- Typed Queries and Programs 

We recall the definiton of well-typed query and program from m 
To simplify the notation, when writing an atom as p(u : S,v : T), we assume 
that u : S is a sequence of typed terms filling in the input positions of p and 
V : T is a sequence of typed terms filling in the output positions of p. 

Definition 4 ([pj). 

— A query pi{ii :Ii,Oi : Oi), . . .,p„(i„ :I„,o„ : 0„) is well-typed iff 
for j G [l,n] 

H • ■ •: Oj-1 ■ ®j-l ^ ij ■ Ij- 

— A clause po{oo : Oo,in+i : In+i) 

^pi(ii : Ii,Oi : Oi), . . .,p„(in : In,o„ : 0„). is well-typed iff 
for j G [l,n-k 1] 

1= Oq : Oq, . . ., Oj_i : Oj_i =k ij : Ij. 

— A program is well-typed iff every clause of it is. □ 

Thus, a query is well-typed if 

— the types of the terms filling in the input positions of an atom can be deduced 
from the types of the terms filling in the output positions of the previous 
atoms. 

And a clause is well-typed if 

— (j G [1, n]) the types of the terms filling the input positions of a body atom 
can be deduced from the types of the terms filling in the input positions of 
the head and the output positions of the previous body atoms, 

— {j = n + 1) the types of the terms filling in the output positions of the head 
can be deduced from the types of the terms filling in the input positions of 
the head and the types of the terms filling in the output positions of the 
body atoms. 

Note that a query with only one atom is well-typed iff this atom is correctly 
typed in its input positions. 
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6.2 Safe Replacement Wrt Directional Types 

In [8] we extend the safe transformation sequence by adding the replacement 
operation and state the following applicability condition in order to ensure that 
it preserves both c.a.s. and universal termination. 

Definition 5 (@]). Let B and B' be sequences of atoms, P a well-typed program 
and c : i? <— A, B, C. a clause in P. Let X he the set o/ common variables and 
Y the set o/ private variables in B and Bb 

Replacing B with B' in c is safe wrt P and its directional types iff 

— it is syntactically safe, that is 

the variables in Y are local wrt c and c' : 

Var{H,A,C)f^Y = 0 ; 

for all substitutions 6 such that Var{0) n Var{c) C Var(H, A), Var{9) C\Y = % 
and cO is well-typed, 

— the well-typing is preserved, namely 
c'O is also well-typed; 

— B and B' are equivalent in c wrt P: 

MlPj{B0)^x9 = MlPj{B'e)^xe; 

— B' is non-increasing in c wrt B in P.' 

for any finite LD-derivation I' : B'0 \ — -*p R, where either R = □ or 

R = fail, there exists a corresponding finite LD-derivation I : B0 \ — R, 
with X0Y ~ X0d, which is not shorter: \ I |>| V |. □ 

The last two conditions are in general not computable and often difficult to 
verify. For the third one it is possible to use program transformation techniques, 
while the last one usually requires inductive proofs which can be difficult in 
presence of FDs. 

6.3 Proof of Lemma E 

Lemma Let P be a noFD program and Q a noFD query in P . Let us consider 
one non-trivial LD-derivation step Q | — >p Q'. The query Q' is also noFD. 

Proof. Q' is well- typed by a Lemma in 

Let Q = then Q' = (Ci, . . .,Cr, B 2 , ■ ■ Bm)o', where c : K 

<— Cl , . . ., Cr- is the input clause used in the derivation step, a = mgu{K, Bi) 
and c is standardized apart wrt Q. 

First we prove that the first condition of noFD queries in Definition 3 holds for 
Q', namely: 

Out(Cj(j), for j G [1, r] and Out{Bicr), for i G [2, m] are all distinct variables 
and they do not appear leftmost: 
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(a) Out{CjCr) = Var{Out{Cj<r)), 

if Xi, . . Xk are the output terms in Cja, then Xi ^ Xh, for i ^ h, i,h € 
[1, k] and 

Out(Cja) n {Var{Cia, . . .,Cj-\a) U Var{In{Cja))) = 0, for j G [l,r]; 

(b) Out{Bio) = Var{Out{Bia)), 

if Xi, . . Xk are the output terms in Bia, then Xi ^ Xh, for i ^ h, i,h G 
[1, k] and 

Out{Bio) n {Var{Cia, . . .,Cr(J, B 21 T, . . Bi-ia) U V ar{In{Bia))) = 0, for 
i G [2, m], 

c is standardized apart wrt Q and a is idempotent and relevant hence 
t4ar(Q) n V ar{c) = 0 and a = o\Bi ' <^\k- 

Q is noFD in P, then by the first property of noFD queries, we know that: 

— Out{Bi) are all distinct variables and Out{Bi) n Var{In{Bi)) = 0; 
then cr is the identity on V ar{Out{K)) — Var{In{K)). 

— Out{Bi), for i G are all distinct variables and they do not appear 

leftmost: 

Out{Bi) n {Var{Bi , . . U V ar{In{Bi))) = 0, for i G [2, m]; 
then cr is the identity on Out{Bi), for i G [2,m]. 

On the other hand c is noFD then 

— Out(Cj), for j G [l,r], are all distinct variables and they do not appear in 
input terms in the head and leftmost in the body: 

Out{Cj) n {V ar{In{K)) U Var{C\, . . U Var{In{Cj))) = 0, for j G 

Ihrj; 

then cr is the identity also on Out{Cj), for j G [l,r]. 

Hence we can omit some a in (a), thus it remains to prove: 

(a) Out{Cj) n {Var{Cia, . . U Var{In{Cja))) = 0, for j G [l,r]. 

Since a is the identity on Out{Ci, . . Cr) and c is noFD, we can reduce it to 

(a) Out{Cj) n {y ar{In{Cia , . . ., Cja)) = 0, for j G [1, r]. 

Then it is sufficient to prove that Out{Cj) has no variable in common with the 
ones introduced by a in In{K), for j G [l,r]. 

But Var{a\ini^K)) = Var{In{K)) U Var{In{Bi)) and we already observed that 
cr is the identity on the terms which are only in output in K, then 
Out{Cj) n Var{Bi) = 0, because c is standardized apart; 

Out{Cj) n Var{In{K)) = 0, since the first property in Definition 2 holds for 

c. 

This concludes the proof of (a). 

Let us consider (b). Since a is the identity on Out{Cj) and on Out{Bi), for 
j G [l,r] and i G [2,m], and since c and Q are noFD, we can reduce (b) to: 

(b) Out(Bi) n {Var{In{Cia , . . ., Crcr, B 2 a , . . ., Bia))) = 0, for i G [2, m]. 

But c and Q are standardized apart and Q is noFD, hence it sufficient to prove 
that Out{Bi) has no variable in common with the ones introduced by a, for 
i G [2, m]: 
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Out{Bi) n Var{a) = 0, for i G where Var{a) = Var{K) U Var{Bi). 

As before 

Out{Bi) n Var{Bi) = 0, because Q is noFD; 

Out(Bi) n Var{K) — 0, because of the standardization apart. 

This concludes the proof of (b) . Hence the first condition of Definition 3 is proved 
for Q'. 

Let us consider now the second condition of noFD queries. 

Such condition holds for Q and c and then for the atoms Ci, . . .,Cr, B 2 , ■ ■ ■, Bm- 
As we already noticed, a is the identity on Out{Cj) and on Out{Bi), for j G 
[l,r] and i G and the property of being well- typed is preserved through 

resolution m 

Hence the second condition of Definition 0 is satisfied also for the well-typed 
query Q' = (Ci, . . ., Cr, B 2 , ■ . ., Bm)(r. □ 
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Abstract. Schema-based logic program transformation has proven to 
be an effective technique for the optimisation of programs. This paper 
results from the research that began by investigating the suggestions in 
CH to construct a more general database of transformation schemas for 
optimising logic programs at the declarative level. The proposed trans- 
formation schemas fully automate accumulator introduction (also known 
as descending computational generalisation), tupling generalisation (a 
special case of structural generalisation), and duality laws (which are 
extensions to relational programming of the first duality law of the fold 
operators in functional programming). The schemas are proven correct. 
A prototype schema-based transformation system is evaluated. 



1 Introduction 



Schema-based program construction and synthesis were studied in logic pro- 
gramming [hf I Of I 6f 1 4123] and in functional programming [20ri1j . Using schemas 
for logic program transformation was first studied in H3| and then extended in 
P3IS|. Schema-based logic program transformation was also studied in [11,15]. 
This paper results from the research that began by investigating the suggestions 
in nn and extending the ideas in (Q to construct a database of more general 
transformation schemas for optimising logic programs at the declarative level. 
For full details of this research, the reader is invited to consult jS]. 

Throughout this paper, the word program (resp. procedure) is used to mean 
typed definite program (resp. procedure). An open program is a program where 
some of the relations appearing in the clause bodies are not appearing in any 
heads of clauses, and these relations are called undefined (or open) relations. If 
all the relations appearing in the program are defined, then the program is a 
closed program. The format of a specification Sr of a relation r is: 



VX : X. vr : y. Ir(X) ^ [r(X, Y) ^ Or{X, Y)] 

where Xr{X) denotes the input condition that must be fulfilled before the exe- 
cution of the procedure, and Or{X, Y) denotes the output condition that will be 
fulfilled after the execution. 

We now give the definitions of the notions that will be used throughout the 
paper. All the definitions are given for programs in closed frameworks [12]. A 
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framework can be defined simply as a full first-order theory (with identity) with 
intended model. A closed framework has no parameters and open symbols. Thus, 
it completely defines an abstract data type (ADT). 

Correctness and Equivalence Criteria. We first give correctness and equiv- 
alence criteria for programs. 

Definition 1 ((Correctness of a Closed Program)). 

Let P be a closed program for a relation r in a closed framework T . We say 
that P is (totally) correct wrt its specification Sr iff, for any ground term t of 
X such that Tr{t) holds, we have P h r{t,u) iff P ^ Or(t,u), for every ground 
term u of y. If we replace ‘iff’ by ‘implies’ in the condition above, then P is said 
to be partially correct wrt Sr, and if we replace ‘iff’ by ‘if’, then P is said to be 
complete wrt Sr- 

This kind of correctness is not entirely satisfactory, for two reasons. First, 
it defines the correctness of P in terms of the procedures for the relations in 
its clause bodies, rather than in terms of their specifications. Second, P must 
be a closed program, even though it might be desirable to discuss the correct- 
ness of P without having to fully implement it. So, the abstraction achieved 
through the introduction (and specification) of the relations in its clause bodies 
is wasted. This leads us to the notion of steadfastness (also known as parametric 
correctness) 

Definition 2 ((Steadfastness of an Open Program)). 

In a closed framework T, let: 

— P be an open program for a relation r 

— qi , . . . , 9 m be all the undefined relation names appearing in P 

— ^i, . . . , Sm be the specifications of qi, , Qm- 

We say that P is steadfast wrt its specification Sr in {^i, . . . , Sm} iff the (closed) 
program P U Ps is correct wrt Sr, where Ps is any closed program such that: 

— Ps is correct wrt each specification Sj (1 < j < m) 

— Ps contains no occurrences of the relations defined in P. 

For program equivalence, now, we do not require the two programs to have 
the same models, because this would not make much sense in some program 
transformation settings, where the transformed program features relations that 
are not in the initially given program. That is why our program equivalence cri- 
terion establishes equivalence wrt the specification of a common relation (usually 
the root of their call-hierarchies). 

Definition 3 ((Equivalence of Two Open Programs)). 

In a closed framework P, let P and Q be two open programs for a relation 
r. Let ^i, . . . , Sm be the specifications of pi,. . . , Pm, which are all the unde- 
fined relation names appearing in P, and let S}, . . . ,S( be the specifications of 
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gi,. . . , qt, which are all the undefined relation names appearing in Q. We say 
that (P, {51, . . . , 5m}) is equivalent to {Q, |5{, . . . , 5)}) wrt the specification Sr 
(or simply that P is equivalent to Q wrt Sr) when P is steadfast wrt Sr in 
|5i, . . . , 5m| and Q is steadfast wrt Sr in |5{, . . . , 5)}. Since the ‘is equivalent 
to’ relation is symmetric, we also say that P and Q are equivalent wrt Sr- 

In program transformation settings, there sometimes are conditions that have 
to be satisfied by some parts of the initial and/or transformed program in order 
to have a transformed program that is equivalent to the initially given program 
wrt the specification of the top-level relation. Hence the following definition. 

Definition 4 ((Conditional Equivalence of Two Open Programs)). 

In a closed framework P, let P and Q be two open programs for a relation 
r. We say that P is equivalent to Q wrt the specification Sr under conditions C 
iff P is equivalent to Q wrt Sr whenever C holds. 

Program Schemas and Schema Patterns. The notion of program schema 
was also used in fyiiiiiji;iiaijihiai2b^ . but here we have an additional com- 
ponent, which makes our definition m of program schemas different. 

Definition 5 ((Program Schemas)). 

In a closed framework P, a program schema for a relation r is a pair {T,C), 
where T is an open program for r, called the template, and C is a set of speci- 
fications of the open relations of T, in terms of each other and in terms of the 
input/output conditions of the closed relations of T. The specifications in C, 
called the steadfastness constraints, are such that, in P, T is steadfast wrt its 
specification Sr in C. 

Sometimes, a series of schemas are quite similar, in the sense that they only 
differ in the number of arguments of some relation, or in the number of calls to 
some relation, etc. For this purpose, rather than having a proliferation of similar 
schemas, we introduce the notion of schema pattern (compare with [6]). 

Definition 6 ((Schema Patterns)). 

A schema pattern is a program schema where term, conjunct, and disjunct el- 
lipses are allowed in the template and in the steadfastness constraints. 

For instance, TXi, . . . , TXt is a term ellipsis, and Ai=i fifTXi, TYi) is a con- 
junct ellipsis. Our schemas are more general than those in P] in the sense that 
we now allow such ellipses. 

Schema-based Program Transformation. In schema-based transformation, 
transformation techniques are pre-compiled at the schema- level. 

Definition 7 ((Transformation Schemas)). 

A transformation schema is a 5-tuple (5i, S 2 , A, O 12 , O 21 ), where 5i and S 2 are 
program schemas (or schema patterns), A is a set of applicability conditions. 
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which ensure the equivalence of the templates of Si and S2 wrt the specification 
of the top-level relation, and O12 (resp. O21) is a set of optimis ability conditions, 
which ensure further optimisability of the output program schema (or schema 
pattern) S2 (resp. S'!). 

If a transformation schema embodies some generalisation technique, then it 
is called a generalisation schema. The problem generalisation techniques that 
are used in this paper are explained in detail in Using these techniques for 
synthesising and/or transforming a program in a schema-based fashion was first 
proposed in mni, and then extended in m- The generalisation methods that 
we pre-compile in our transformation schemas are tupling generalisation, which 
is a special case of structural generalisation where the structure of some pa- 
rameter is generalised, and descending generalisation, which is a special case of 
computational generalisation where the general state of computation is gener- 
alised in terms of what remains to be done. If a transformation schema embodies 
a duality law, then it is called a duality schema. 

In the remainder of this paper, we first give two divide-and-conquer schema 
patterns in Section |21 We then explain in detail how automation of program 
transformation is achieved by tupling and descending generalisation, in Sec- 
tions 0 and 0 In Section 0 we explain the duality schemas. In Section 6, we 
discuss, by using the results of performance tests, the effects of the optimisabil- 
ity conditions in the transformation schemas. Before we conclude, the prototype 
transformation system, which was developed to test the practicality of the ideas 
explained in this paper, is presented in Section 0 

2 Divide-and-Conquer Programs 

The schema patterns in this section abstract sub-families of divide-and-conquer 
(DC) programs. They are here restricted to binary relations with X as the induc- 
tion parameter and Y as the result parameter, to reflect the schema patterns that 
can be handled by the prototype transformation system explained in Section 7. 
Another restriction in the schema patterns is that when X is non-minimal, then 
X is decomposed into h = 1 head HX and t > 0 tails TX\, . . . ,TXt, so that 
Y is composed from 1 head HY (which is the result of processing HX) and t 
tails TYi , . . . , TYt (which are the results of recursively calling the relation with 
TXi, . . . , TXt, respectively) by p-fix composition (i.e., Y is composed by putting 
its head HY between its tails TTp_i and TYp). 

These schema patterns are called DCLR and DCRL (the reason for these 
names will be explained soon). Template DCLR (resp. DCRL) below is the tem- 
plate of the DCLR (resp. DCRL) schema pattern. In these patterns, minimal, 
solve, etc., denote place-holders for relation symbols. During the particulari- 
sation of a schema pattern to a schema, all these place-holders are renamed, 
because otherwise all divide-and-conquer programs would have the same rela- 
tion symbols. Indeed, since a template is an open program, the idea is to obtain 
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concrete programs from the template by adding programs for the open relations, 
such that these programs satisfy the steadfastness constraints. The steadfastness 
constraints corresponding to these DC templates (i.e., the specifications of their 
open relations) are the same, since these templates have the same open relations. 
Such constraints are shown in [12] in this volume. 



r{X,Y)^ 
minimal(X), 
solve{X,Y) 
r{X,Y)^ 
nonMinimal{X), 
decompose{X, H X,TXi, . . . ,TXt), 
r{TXi,TYi),...,r{TXt,TYt), 
init{Io), 

compose{Io, TYi, h), compose{Ip-2, TYp-i,Ip-i), 
process{HX, HY), compose{Ip-i, HY, Ip), 
compose{Ip, TYp, Ip+i), compose{It, TYt, It+i), 

Y = It+i 



Template DCLR 



r{X,Y)^ 
minimal(X), 
solve{X,Y) 
r(X,Y)^ 
nonMinimal(X), 
decompose(X,HX,TXi, . . . ,TXt), 
r{TXi,TYi),...,r{TXt,TYt), 
init{It+i), 

composeiTYt, h+i, It),---, compose{TYp, Ip+i, Ip), 
process{HX, HY) , compose{HY, Ip, Ip-i), 
compose(TYp-i, Ip-i, Ip-2), ---, compose[TYi, h,Io), 
Y = h 



Template DCRL 

We can now explain the underlying idea why we have two different schema 
patterns for DC, and why we call them DCLR and DCRL- If we denote the 
functional version of the compose relation with 0, then the composition of Y in 
template DCLR by left-to-right {LR) composition ordering can be written as: 



Y = ((((((e © TYi) ©...)© rFp_i) © HY) © TYp) ©...)© TF* (1) 
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where e is the (unique) term for which init holds. Similarly, the composition of 
Y in DCRL by right-to-left {RL) composition ordering can be written as: 

y = TFi © (. . . 0 {TYp_^ © {HY © {TYp ©(...© {TYt © e)))))) (2) 

Throughout the paper, we use the infix-flat problem, whose DC programs are 
given in the example below. 

Example 1. The specification of infix-flat is: 

infix-flat{B, F) iff list F is the infix representation of binary tree B 



where infix representation means the list representation of the infix traversal of 
the tree. Program 1 (resp. Program 2) below is the program for the infix-flat/2 
problem that is a (partially evaluated) instance of the DCLR (resp. DCRL) 
schema pattern, for t = p = 2. Note the line-by-line correspondence between the 
program computations and the templates. 



infix-flat{B, F) ^ 
B = void, 



infix-flat{B, F) ^ 
B = void, 



F=[] 

infix-flat{B, F) 



F = [] 

infix-flat{B, F) 



B = bt{., _, _), 

B = bt{L,E,R), 
infix-flat{L, FL), 

infix-flat{R, FR), 

lo = []. 

append{Io, FL,Ii), 

HF = [E],append{B,HF,l 2 ), 
append{l 2 , FR, I 3 ), 

F = h 



B = &t(-,_, -), 

B — bt{L, E, R), 
infix-flat{L, FL), 

infix-flat{R,FR), 

h = [], 

append{F R, I3, 12 ), 

HF = [E],append{HF,l 2 ,h), 
append{FL,h, Iq), 

F = Io 



Program 1 



Program 2 



3 Program Transformation by Tupling Generalisation 

If a program for a relation r, which has the specification Sr of Section 1, is 
given as an instance of DCLR (or DCRL ) , then the specification of the tupling- 
generalised problem of r, namely Sr_tupUng, is: 

VXs : list of df. Vr : y. (VX -.X.XgXs^ MX)) ^ 
{r_tupling{Xs, Y) (Xs = [] A P = e) V (Xs = [Xi,X2, ■ ■ ■ , Xn] 

n n 

A /\Or{X„Yi) Ah = YiA /\OM-i,Y„R) A P = /„)) 

i=l i=2 

where Oc is the output condition of compose, and e is the (unique) term for 
which init holds. 
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The tupling generalisation schemas (one for each DC schema pattern) are: 

TGi : { DCLR, TG, Atj, Otj^i2, Oti2i ) where 
Ati : - compose is associative 

- compose has e as the left and right identity element 

-MX -.X. Tr{X) A minimal{X) ^ Or{X, e) 

- MX : X. Tr{X) => \-^minimal{X) nonMinimal{X)] 

Otii2 '■ partial evaluation of the conjunction 

process{HX, HY) , compose{HY, TY, Y) 

results in the introduction of a non-recursively defined relation 
Oti2i : partial evaluation of the conjunction 

process{HX, HY),compose{Ip-i, HY, Ip) 

results in the introduction of a non-recursively defined relation 

TG2 '■ { DCRL, TG, At2, 0*212, 0*321 ) where 
A*2 : - compose is associative 

- compose has e as the left and right identity element 

-MX-.X. Tr{X) A minimal{X) => Or{X, e) 

- MX : X. Tr{X) => \-^minimal{X) nonMinimal{X)] 

0*212 : partial evaluation of the conjunction 

process{HX, HY) , compose{HY, TY, Y) 

results in the introduction of a non-recursively defined relation 
0*221 : partial evaluation of the conjunction 

process{H X , HY) , compose{HY, Ip, Ip-i) 

results in the introduction of a non-recursively defined relation 

where the template of the common schema pattern TG is given on the next page. 

Note that, in the TG template, all the open relations of DCLR (or DCRL) 
appear, but no new relations. This crucial observation enables the once-and-for- 
all verification of the conditional equivalence of the two templates in the TGi 
transformation schemas wrt Sr under which verification is thus indepen- 
dent of the actual specifications of the open relations (i.e., the steadfastness 
constraints) @|. 

The applicability conditions of TGi (resp. TG2) ensure the equivalence of the 
DCLR (resp. DCRL) and TG programs for a given problem. The optimisabil- 
ity conditions ensure that the output programs of these generalisation schemas 
can be made more efficient than the input programs. Indeed, the optimisability 
conditions, together with some of the applicability conditions, check whether the 
compose calls in the TG template can be eliminated. For instance, the conjunc- 
tion solve{X, HY), compose{HY, TY, Y) in the second clause of rdupling can be 
simplified to Y = A, if relation r maps the minimal form of X into e, and if e is 
also the right identity element of compose. This is already checked by the second 
and third applicability conditions of TG\ and TG2. Also, in the third and fourth 
clauses of rdupling, the conjunction process{HX, HY),compose{HY,TY,Y) 
can be partially evaluated, resulting in the disappearance of that call to compose, 
and thus in a merging of the compose loop into the r loop in the DCLR (or 
DCRL) template, if the optimisability condition 0*^i2 (or 0*212) holds. 

Let us illustrate tupling generalisation by applying the TG* generalisation 
schemas on the infix-flat problem. 
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r(X,Y)^ 
rJ.upling{[X], Y) 
rJ,upling[Xs,Y) ^ 

Xs=[], 

init{Y) 

rJ,upling[Xs,Y) <— 

Xs = [X\TXs], 
minimal{X), 
rJupling(TXs, TY), 
solve{X,HY), 
compose{HY,TY,Y), 
rJ,upling[Xs,Y) <— 

Xs = [X\TXs], 
nonMinimal[X), 
decompose{X, H X,TXi, . . . ,TXt), 
minimal{TXi), . . . , minimal{TXt), 
rJupling{TXs, TY), 
process{HX,HY), 
compose{HY,TY,Y) 
rJ,upling[Xs,Y) <— 

Xs = [X\TXs], 
nonMinimal{X), 
decompose{X,HX,TXi, . . . ,TXt), 



infix-flat{B,F) ^ 
infix-flatJ{[B],F) 
infix-flatJb{Bs,F) ^ 

Bs = [\, 

F = [] 

infix-flatJ(Bs, F) <— 

Bs = [B\TBs], 

B = void, 

infix-flatJ,{T Bs,TF), 
HF=[], 

append{H F, TF,F) 
infix-flatJt(Bs,F) <— 

Bs = \B\TBs], 

B = -), 

B — bt{L, E, R), 

L = void, R = void, 
infix-flatJ{T Bs,TF), 
HF=[E], 
append{F[ E, TF,F) 
infix-flatJt{Bs,E) <— 

Bs = \B\TBs], 

B = 

B = bt{L,E,R), 

L = void, 

R = bt{., 

infix-flatJ^{[R\TBs],TF), 
HF=[E], 
append{H E, T F, F) 
infix-flatJt(Bs,F) <— 

Bs = [B\TBs], 

B = 

B — bt{L, E, R), 

L = 

R = void, 

Ul = void, 

N = bt{UL,E,R), 
infix-flatS{[L, N\TBs],TE), 
infix-flatJ:(Bs,E) <— 

Bs = [B\TBs], 

B = 

B = bt{L, E, R), 

L = bt{.,.,.), 

R = bt{., 

Ul = void, Ur = void, 

N = bt{UL,E,UR), 

inf ix -flat J,{[L, N, R\TBs], F) 



minimal{TXi), . . . , minimal{T Xp-i) , 
{nonMinimal{TXp); . . nonMinimal{TXt)), 
rJupling{[TXp, . . . ,TXt\TXs],TY), 
process{HX,HY), 
compose{HY,TY,Y) 
rJ,upling{Xs,Y) ^ 

Xs = [X\TXs], 
nonMinimal{X), 
decompose{X,HX,TX\, . . . ,TXt), 

{nonMinimal{TX \)\ . . . ; nonMinimal{T Xp-i)) , 
minimal [T Xp) , . . . , minimal{TXt), 
minimal(Ui), . . . , minimal{Up-i), 
decompose{N, HX, Ui, . . . , Up-i,TXp, . . . ,TXt), 
rJupling{[TXi, . . . ,TXp-i, N\TXs], Y) 
rJ,upling[Xs,Y) ^ 

Xs = [X\TXs], 
nonMinimal{X), 
deaympose[X , H X , TXi, . . . ,TXt), 

(nonMinimal{TX \)-, . . . ; nonMinimal{T Xp-i)) , 
{nonMinimal{TXp); . . nonMinimaKTXt)), 
minimal{U\), . . . , minimal{Ut), 
decompose{N, HX, Ui, . . . , Ut), 
rJupling{[TXi, . . . ,TXp-i, 

N,TXp,...,TXt\TXs],Y) 

Template TG and Program 3 
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Example 2. The specification of the infix-flat problem, and its DCLR and 
DCRL programs, are in Example 1 in Section 2. The infix-flat problem can 
be tupling-generalised using the TGi transformation schemas above, since the 
infix-flat programs have open relations that satisfy the applicability and op- 
timisability conditions of these schemas. So, the specification of the tupling- 
generalised problem of infix-flat is: 

infix-flat-t{Bs, F) iff F is the concatenation of the infix representations of the 
elements in the binary tree list Bs. 

Program 3 on the previous page is the tupling-generalised program for infix-flat 
as an instance of TG, for t = p = 2. 

Although the tupling generalisation schemas are constructed to tupling- 
generalise DC programs (i.e., to transform DC programs into TG programs), 
these schemas can also be used in the reverse direction, such that they trans- 
form TG programs into DC programs, provided the optimisability conditions 
for the corresponding DC schema pattern are satisfied; note that applicability 
conditions work in both directions. 

4 Program Transformation by Descending Generalisation 

Descending generalisation |EJ can also be called the accumulation strategy (as 
in functional programming |^, and in logic programming H) , since it intro- 
duces an accumulator parameter and progressively extends it to the final result. 
Descending generalisation can also be seen as transformation towards difference 
structure manipulation, since any form of difference structures can be created 
by descending generalisation, and not just difference-lists. 

Four descending generalisation schemas (two for each DC schema pattern) are 
given. Since the applicability conditions of each descending generalisation schema 
are different, the process of choosing the appropriate generalisation schema for 
the input DC program is done only by checking the applicability and optimisabil- 
ity conditions, and the eureka (i.e., the specification of the generalised problem) 
then comes for free. 

The reason why we call the descendingly generalised (DC) schema patterns 
^DGFR’ and ^DGRF^ is similar to the reason why we call the divide-and-conquer 
schema patterns DCLR and DCRL, respectively. In descending generalisation, 
the composition ordering for extending the accumulator parameter in the tem- 
plate DCLR (resp. DCRL) is from left-to-right (LR) (resp. right-to-left (RL)). 
The first two descending generalisation schemas are: 

DGi : { DCLR, DCLR, Adg^, Odgii2, Odgi2i ) where 
Adgi : - compose is associative 

- compose has e as the left identity element 
Odgii2 : - compose has e as the right identity element 
and Ir{X) A minimal(X) Or{X,e) 

- partial evaluation of the conjunction 
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process{H X , HY) , compose{Ap-i, HY, Ap) 
results in the introduction of a non-recursively defined relation 
Odgi2i '■ - partial evaluation of the conjunction 

process{HX, HY),compose{Ip-i, HY, Ip) 

results in the introduction of a non-recursively defined relation 

DGa ■■ { DCRL, DGLR, Adg^, Odgii2, 0^9421) where 
Adg^ : - compose is associative 

- compose has e as the left and right identity element 
Odgii2 : - Rr{X) A minimal{X) => Or{X,e) 

- partial evaluation of the conjunction 
process{HX, HY),compose{Ap-\, HY, Ap) 
results in the introduction of a non-recursively defined relation 
Odgi2i ■ - partial evaluation of the conjunction 

process{HX, HY) , compose{HY, Ip, Ip-i) 

results in the introduction of a non-recursively defined relation 

where e is the (unique) term for which init holds. These schemas have the same 
formal specification (i.e., eureka) for the relation r_descendingi of the schema 
pattern DGLR, namely: 

VX : T. : y. Ir{X) ^ 

[r_descendingi{X,Y, A) 3 S : y. Or{X, S) A Oc{A, S,Y)] 

where Oc is the output condition of compose. The template of the common 
schema pattern DGLR of DG\ and DG4 is: 

r{X,Y) ^ 

init{A),rjdescendingi{X, Y, A) 
rXtescendingi {X, Y, A) <— 
minimal {X), 

solve{X, S), compose{A, S, Y) 
rjdescendingi {X, Y, A) <— 
nonMinimal(X), 

decompose{X, HX,TXi, . . . ,TXt), 
init(E), compose{A, E, d_o), 

rJLescendingi{TXi, Ai, To), . . . , rjlescendingi{T Xp-i, Ap-i, Ap-2), 
process{HX, HY), compose{Ap-i, HY, Ap), 
rJLescendingi{TXp, Ap+i, Ap), . . . , rAescendingi{TXt, At+i, At), 

Y = At+i 



Template DGLR 

Note that, in the DGLR template, all the open relations of DGLR (or DGRL) 
appear, but no new relations. The applicability and optimisability conditions of 
these two generalisation schemas differ, since the composition ordering is changed 
from RL to LR in DG^. 

We now illustrate descending generalisation on our infix-flat problem. 
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Example 3 . The specification of a program for the LR descendingly generalised 
version of infix-flat is: 

infix-flat-descendingi{B, F, A) iff list F is the concatenation of list A and the 
infix representation of binary tree B. 

Program 4 is the program for infix-flat as an instance of DGLR, for t = p = 2 . 



infix-flat{B,F) <— 
infix-flatjiescendingi{B,F, []) 
infix-flatAescendingi{B,F,A) <— 
B = void, 

S = [], append{A, S, F) 
infix-flatAescendingi{B,F,A) <— 
B = _), 

B — bt{L, E, R), 
append(A, [], ffo), 
infix-flatAescendingi{L, Ai, To), 
HF = [E], append{Ai, F[F, A2), 
infix-flatAescendingi{R, T3, A2), 
F^As 



Program 4 

Since the applicability conditions of DG\ (resp. DG4) are satisfied for the in- 
put DGLR (resp. DGRL) infix-flat program, the descendingly generalised 
infix-flat program can be Program 4 . However, for this problem, descending 
generalisation of the infix-flat programs with the DG transformation schemas 
above should not be done, since the optimisability conditions of DG\ (resp. 
DG4) are not satisfied by the open relations of infix-flat. Indeed, in the non- 
minimal case of inf ix -flat jlescendingi, partial evaluation of the conjunction 
HF = [E],append{Ai,HF,A2) does not result in the introduction of a non- 
recursively defined relation, because of properties of append (actually, due to 
the inductive definition of lists) . Moreover, the induction parameter of append, 
which is here the accumulator parameter, increases in length each time append 
is called in the non-minimal case, which shows that this program is not a good 
choice as a descendingly generalised program for this problem. So, the optimis- 
ability conditions are really useful to prevent non-optimising transformations. 

The other two descending generalisation schemas are: 

DG2 ■■ { DGLR, DGRL, Adg^, 043^12, 0^9321 ) where 
Ad32 ■ - compose is associative 

- compose has e as the left and right identity element 
Od32i2 - Ir{X) A minimal{X) => Or{X,e) 

- partial evaluation of the conjunction 
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process{H X , HY) , compose{HY, Ap, Ap-i) 
results in the introduction of a non-recursively defined relation 
Odg22i '■ - partial evaluation of the conjunction 

process{HX, HY),compose{Ip-i, HY, Ip) 

results in the introduction of a non-recursively defined relation 

DGs : { DCRL, DGRL, Adg^, Odg3i2, 0^9321) where 
Adg3 : - compose is associative 

- compose has e as the right identity element 
Odg3i2 '■ - compose has e as the left identity element 
and Tr{X) A minimal{X) Or{X,e) 

- partial evaluation of the conjunction 
process{HX, HY) , compose{HY, Ap, Ap-\) 
results in the introduction of a non-recursively defined relation 
Odg32i '■ - partial evaluation of the conjunction 

process{H X , HY) , compose{HY, Ip, Ip-i) 

results in the introduction of a non-recursively defined relation 

where e is the (unique) term for which init holds. These schemas have the same 
formal specification (i.e., eureka) for the relation r-descending2 of the schema 
pattern DGRL, namely: 

VX : T. : y. Ir{X) ^ 

[r_descending2{X,Y, A) 3 S : y. Or{X, S) A Oc{S, A,Y)] 

where Oc is the output condition of compose. Note the reversal of the roles of 
A and S compared to the specification of r.descendingi above. The template of 
the common schema pattern DGRL of DG2 and DG^ is: 

r{X,Y) ^ 

init(A),rjdescending2{X, Y, A) 
rjiescending2 {X, Y, A) <— 
minimal (X), 

solve{X, S), compose{S, A, Y) 
rjiescending2 {X, Y, A) <— 
nonMinimal(X), 

decompose{X, HX,TXi, . . . ,TXt), 
init(E), compose{E, A, At+i), 

rAescending2{TXt, At, At+i), ■ ■ ■ , rAescending2{TXp, Ap, Ap+i), 
process{HX, HY), compose{HY, Ap, Ap-R), 

rjdescending2[TXp-t, Ap-2, Ap-i ), . . . , rjlescending2{TXi, To, A\), 

Y = Ao 



Template DGRL 

Note that, in the DGRL template, all the open relations of DCLR (or DGRL) 
appear, but no new relations. The applicability and optimisability conditions of 
these two generalisation schemas differ, since the composition ordering is changed 
from LR to RL in DG2- 
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Example 4- The specification of a program for the RL descendingly generalised 
version of infix-flat is: 

infix-flatjdescending2{B, F, A) iff list F is the concatenation of the infix rep- 
resentation of binary tree B and list A. 

Program 5 is the program for infix-flat as an instance of DGRL, for t = p = 2. 



infix-flat{B,F) <— 
infix-flatjiescending2{B, -F, []) 
infix-flat-descending2{B,F,A) ^ 
B = void, 

S = [], append{S, A, F) 
infix-flatjiescending2[B,F,A) <— 
B = 6t(_, _), 

B = bt{L, E, R), 
append{\\, A, A3) , 

inf ix -flat jiescending2[R, T2, d.3), 
HF = \E],append{HF,A2,A\), 
infix-flat-descending2{L, Aqi,A\), 
F = Aq 



Program 5 

Since both the applicability conditions and the optimisability conditions of DG2 
(resp. DG3) are satisfied for the input DGLR (resp. DGRL) infix-flat pro- 
gram, descending generalisation of the infix-flat programs results in Program 5. 
Partial evaluation of the conjunction HF = [E], append{H F, A2,Ai) in the non- 
minimal case of infix-flat_descending2 then results in Ai = [if|A2]. Similarly, 
partial evaluation of the conjunction S' = [], append{S, A, F) in the minimal case 
results in F = A. Altogether, this amounts to the elimination of append. 

Although the descending generalisation schemas are constructed to descend- 
ingly generalise DC programs, these schemas can also be used to transform DC 
programs into DC programs, provided the optimisability conditions for the cor- 
responding DC schema pattern are satisfied. It is thus possible that we have 
Program 4 for the infix-flat problem, and that we want to transform it into a 
more efficient program; then the DC programs are good candidates, if we have 
the descending generalisation schemas above. 

5 Program Transformation Using Duality Laws 

In Section 0 while we discussed the composition ordering in the DC program 
schemas, the reader who is familiar with functional programming has noticed 
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the similarities with the fold operators in functional programming. A detailed 
explanation of the fold operators and their laws can be found in [3]. Here, we 
only give the definitions of the fold operators, and their first law. The foldr 
operator can be defined as follows: 



foldr ( 0 ) a [xi,X2, . . . , = Xi © (x2 © (. . . (a:„ 0 a) . . .)) 



where © is a variable that is bound to a function of two arguments. 
Similarly, the foldl operator can be defined as follows: 



foldl (©) a [xi, X2, . . . , x„] = (. . . ((a © x{) © X2) . . .) © Xn 

Thus, equation (1) in Section El which illustrates the composition of Y in the 
DCLR template, can be rewritten using foldl: 



Y = foldl (©) e [TY ^, . . . , TYp_i,HY, TYp , . . . , TYt] 

Similarly, the foldr operator can be used to rewrite equation (2), which illus- 
trates the composition of Y in the DCRL template: 

y = foldr (©) e [TFi, . . . , TYp_i,HY, TYp , . . . , TYt] 

The first three laws of the fold operators are called duality theorems. The first 
duality theorem states that: 

foldr (©) a xs = foldl (©) a xs 

if © is associative and has (left/right) identity element a, and xs is a finite list. 

By adding opt imis ability conditions, we can now devise a transformation 
schema based on this first duality theorem (compare with P]): 

Ddc • ( DC LR^ DCRL^ Addc^ Oddci2^ Oddc2i^ where 
Addc : - compose is associative 

- compose has e as the left and right identity element 
Oddci 2 : - partial evaluation of the conjunction 

process{HX, HY),compose{HY, Ip, Ip-i) 
results in the introduction of a non-recursively defined relation 
Oddc2i : - partial evaluation of the conjunction 

process{HX, HY), compose{Ip-i, HY, Ip) 

results in the introduction of a non-recursively defined relation 

where e is the (unique) term for which init holds, where the schema patterns 
DCLR and DCRL are given in Section El and where Addc comes from the con- 
straints of the first duality theorem. The optimisability conditions check whether 
the compose operator can be eliminated in the output program. 

Similarly, it is possible to give a duality schema between the DC schema 
patterns: 

Ddg • ( DCLR, DCRL, Addg, Oddgi2, Oddg2i) where 
Addg : - compose is associative 

- compose has e as the left and right identity element 
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Oddgi2- - VX : X. Xr{X) A minimal{X) ^ Or{X,e) 

- partial evaluation of the conjunction 
process{HX, HY), compose(HY, Ap, Ap-i) 

results in the introduction of a non-recursively defined relation 
Oddg2i- - VX : X. lr{X) A minimal{X) => Or{X,e) 

- partial evaluation of the conjunction 
process{H X , HY) , compose{Ap-i, HY,Ap) 

results in the introduction of a non-recursively defined relation 

where e is the (unique) term for which init holds, and where the schema patterns 
DGLR and DGRL are given in Section S 

6 Evaluation of the Transformation Schemas 

We evaluate the transformation schemas using performance tests done on par- 
tially evaluated input and output programs of each transformation schema. How- 
ever, the reader may find this evaluation a little bit dubious, since the transfor- 
mation schemas in this paper are only dealing with the declarative features of 
programs. This evaluation is made because we think that these performance 
tests will help us see what our theoretical results amount to when tested prac- 
tically, although in an environment with procedural side-effects. The programs 
are executed using Mercury 0.6 (for an overview of Mercury, please refer to [22]) 
on a SPARCstation 4. Since the programs are really short, the procedures were 
called 500 or 1000 times to achieve meaningful timing results. In Table 1, the 
results of the performance tests for five selected relations are shown, where each 
column heading represents the schema pattern to which the program written for 
the relation of that row belongs. (Of course, quicksort is not really a relation: 
we just mean to indicate that some partitioning is used as decompose for the 
sort relation.) The timing results are normalised wrt the DCLR column. 



relations 


DCLR 


DCRL 


TG 


DGLR 


DGRL 


Prefix flat 


1. 00 


0.92 


0.23 


11.88 


0.15 


Infix flat 


1.00 


0.49 


0.02 


7.78 


0.05 


Postfix flat 


1.00 


0.69 


0.14 


5.48 


0.09 


reverse 


1.00 


1. 00 


0.04 


1. 01 


O.OI 


quicksort 


1. 00 


0.85 


0.72 


6.02 


0.56 



Table 1. Performance test results 

The reason why we chose the relations above is that for all the five considered 
schema patterns programs can be written for these relations. 

Let us first compare the DCLR and DGRL schema patterns. For reverse, 
the DCLR and DGRL programs are the same, since they are singly recursive, 
and their compose relation is append, which is associative. For the binary tree 
flat relations and for quicksort, the DGRL programs are much better than the 
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DCLR programs, because of properties of relations like append (which is the 
compose relation in all these programs), which are the main reason for achiev- 
ing the optimisations of the DCRL programs for the relations above. Hence, 
if the input programs for the binary tree flat relations and for the quicksort 
problem to the duality schema are instances of the DCLR schema pattern, then 
a duality transformation will be performed, resulting in DCRL programs for 
these relations, since both the applicability and the optimisability conditions 
are satisfied by these programs. If the DCRL programs for the relations above 
are input to the duality schema, then the duality transformation will not be per- 
formed, since the optimisability conditions are not satisfied by append, which is 
the compose relation of the DCRL programs. Of course, there may exist some 
other relations where the duality transformation of their DCRL programs into 
the DCLR programs will provide an efficiency gain. Unfortunately, we could not 
find a meaningful relation of this category. 

The next step in evaluating the transformation schemas is to compare the 
generalised programs of these example relations. If we look at Table 1, the most 
obvious observation is that the DCRL programs for all these relations are very 
efficient programs. However, tupling generalisation seems to be the second best 
as a generalisation choice, and it must even be the first choice for relations like 
infix flat, where the composition place of the head in the result parameter is in 
the middle, and where the minimal and nonMinimal checks can be performed 
in minimum time. Although a similar situation occurs for quicksort, its TG 
program is not quite as efficient as its DCRL program. This is mainly because of 
partition, which is the decompose relation of quicksort, being a costly operation, 
although we eliminated most of the partition calls by putting extra minimality 
checks into the TG template. Since append, which is the compose relation in 
all the programs, cannot be eliminated in the resulting DCLR programs, the 
DCLR programs for these relations have the worst timing results. The reason for 
their bad performance is that the percentages of the total running times of the 
DCLR programs used by append are much higher than the percentages of the 
total running times of the DCLR and DCRL programs used by append for these 
relations. The reason for the increase in the percentages is that the length of the 
accumulator, which is the input parameter to append in the DCLR programs, 
is larger than the length of the input parameter of append in the DCLR and 
DCRL programs, since the partial result has to be repeatedly input to the 
compose relation in descending generalisation. 

A transformation should be performed only if it really results in a program 
that is more efficient than the input program. So, for instance, the descending 
generalisation of the input DCLR program for infix flat resulting in the DCLR 
program must not be done, even though the applicability conditions are satisfied. 
This is the main reason for the existence of the optimisability conditions in the 
schemas. 

In some of the cases, using generalisation schemas to transform input pro- 
grams that are already generalised programs into DG programs can produce an 
efficiency gain. For example, if the DCLR program for any of the flat relations 
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is the input program to descending generalisation (namely DGi or DGi), then 
a de-generalisation will be performed resulting in the DCLR (or DGRL) pro- 
gram, which is more efficient than the input DGLR program. However, with the 
current optimisability conditions, if the input program for any of the relations 
above to generalisation is a DGRL program, then the generalisation schemas 
are still applied in the reverse direction, resulting in a DGRL program, which 
means that the de-generalisation will result in a program that is less efficient 
than the input program. This makes us think of even more accurate ways of 
defining the optimisa&iZity conditions, namely as actual optimisation conditions, 
such that the transformation will always result in a better program than the 
input program. However, more performance analyses and complexity analyses 
are needed to derive such conditions. 



7 A Prototype Transformation System 

TranSys is a prototypical implementation of the schema-based program trans- 
formation approach summarised in this paper. TranSys is a fully automatic 
program transformation system and was developed to be integrated with a 
schema-guided program development environment. Therefore, the input program 
to TranSys is assumed to be developed by a synthesiser using the database of 
schema patterns known to TranSys. The schema pattern of which the input 
program is an instance is thus a priori known, and so are the renamings of 
the open relation symbols, the particularisations of the schema variables such 
as t and p, as well as the “closing” programs defining these open relations of 
the template. In other words, no matching between the input program and the 
templates of the transformation schemas has to be performed, unlike in [6,25]. 
Given an input program, TranSys outputs (what it believes to be) the best 
programs that are more efficient than the input program: this is done by collect- 
ing the leaves of the tree rooted in that input program and where child nodes 
are developed when both the applicability and the optimisability conditions of 
a transformation schema hold. All the transformation schemas and the schema 
patterns, which are the input (or output) schema patterns of these transforma- 
tion schemas, given in jSj (i.e., a superset of the schemas given in this paper), 
are available in the database of the system. 

TranSys has been developed in SICStus Prolog 3. Since TranSys is a 
prototype system, for some parts of the system, instead of implementing them 
ourselves, we reused and integrated other systems: 

— For verifying the applicability conditions and some of the optimisability con- 
ditions, PTTP is integrated into the system. The Prolog Technology Theorem 
Prover (PTTP) was developed by M. Stickel (for a detailed explanation of 
PTTP, the reader can refer to 121 ). PTTP is an implementation of the model 
elimination theorem proving procedure for the full first-order predicate cal- 
culus. TranSys uses the version of PTTP that is written in Prolog and that 
compiles clauses into Prolog. 



66 



Halime Biiyiikyildiz and Pierre Flener 



— For verifying the other optimisability conditions, and for applying these op- 
timisations to the output programs of the transformation schemas, we in- 
tegrated Mixtus 0.3.6. Mixtus was developed by D. Sahlin (for a detailed 
explanation of Mixtus, the reader can refer to [19]). Mixtus is an automatic 
partial evaluator for full Prolog. Given a Prolog program and a query, it will 
produce a new program specialised for all instances of that query. The partial 
evaluator is guaranteed to terminate for all input programs and queries. 

For a detailed explanation of the TranSys system, the reader is invited to 
consult 0. 

8 Conclusions and Future Work 

This paper results from the research that began by investigating the suggestions 
in m- The contributions of this research are: 

— pre-compilation of more general generalisation schemas (tupling and de- 
scending) than those in which were restricted to sub- families of divide- 
and-conquer programs; 

— discovery of the duality schemas; 

— discovery of the optimisability conditions; 

— validation of the correctness of the transformation schemas, based on the 
notions of correctness of a program, steadfastness of a program in a set 
of specifications, and equivalence of two programs (the correctness proofs 
of the transformation schemas given in this paper and in can be found 
in 0 ; another approach to validation of transformation schemas can be found 
in 

— development of a prototype transformation system; 

— validation of the effectiveness of the transformation schemas by performance 
tests. 

This research opens future work directions, such as: 

— extension to normal programs and open frameworks; 

— consideration of other program schemas (or schema patterns) ; 

— extension of the schema pattern language so as to express even more general 
program families; 

— representation of the loop merging strategy as a transformation schema; 

— search for other transformation schemas; 

— identification of optimisation conditions that always ensure improved per- 
formance (or complexity) of the output program wrt the input program; 

— validation of the effectiveness of the transformation schemas by automated 
complexity analysis (using GAIA [7| and/or GASLOG 0). 
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Abstract. Program schemas are known to be useful in different appli- 
cations such as program synthesis, transformation, analysis, debugging, 
teaching . . . This paper tackles two complementary aspects of program 
schemas. We first propose a language for the description of program 
schemas. It is based on a subset of second-order logic, enhanced with 
constraints and specific features of program schemas. One of the ba- 
sic operations on schemas is the semi-unification of a schema with a 
program. We then express the semi-unification process over schemas as 
rewriting and reduction rules, using CLP techniques, where constraints 
are used to guide the semi-unification process. 



1 Introduction 

In logic programming, the use of program schemas is a very promising tech- 
nique. In program synthesis, program schemas can formalize particular resolution 
methods (divide-and-conquer, generate-and-test approaches...), as investigated 
by Flener |^. Program transformations can advantageously be performed on 
schemas rather than on their instances (i.e. programs). See Fuchs, Fromherz [6], 
Vasconcelos, Fuchs Flener, Deville 0, Richardson, Fuchs ^[, Biiyiikyil- 

diz, Flener fact, the distinction between transformation and synthesis is 

not definitive, as said in Deville, Lau |^. 

In this introduction, we first describe the different ways of representing pro- 
gram schemas. We justify our choice of second-order objects for schema represen- 
tation. Related works are then presented. We finally make precise the objectives 
and contributions of this paper. 



1.1 Representing Schemas 

A schema is an object representing a set of programs. Various representations 
can be used for the description of a schema. We do not aim at presenting here 
an exhaustive survey. 



Norbert E. Fuchs (Ed.): LOPSTR’97, LNCS 1463, pp. 69-^^ 1998. 
(c) Springer-Verlag Berlin Heidelberg 1998 
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First-Order Representation. First-order representations of schemas use first- 
order place-holders. In the following example (schema S): 

Example 1. Schema S\ 

r(X,Y) <— minimalpC), 
solve(X,Y) . 

r(X,Y) <— nonminimal(X), 

decompose(X, Head, Tail), 
r(Tail,Transf), 

compose(Head,Transf,Compl), 

Y=Compl. 

the first-order template predicates of the schema S (in italic in the schema) 
must be replaced by instance (non-place holders) predicates. For example, we 
obtain the program P from S by replacing the corresponding place-holders by 
“reverse”, “emptylist”, “declist” and “addatend” (and switching some of their 
parameters) : 

Example 2. Program P\ 

reverse(X,Y) ^ emptylist(X), 
emptylist (Y). 
reverse(X,Y) ^ nonempty(X), 
declist(X,H,T), 
reverse(T,T2), 
addatend(T2,H,Y2), 

Y=Y2. 

The main characteristics of this approach are the following : 

1 . There is no clear distinction between place-holder and non place-holder pred- 
icates. 

2. It is not easy to introduce place-holders for constants (e.g. empty list). For 
this purpose, extra predicates could be added. 

3. Considering our semi-unification objective, there is no easy formalization of 
the matching process between schemas and programs. 

Other first-order representations are possible, such as the representation ad- 
vocated by Flener et al. where the concept of open program is used. In this 
framework, a schema can be seen as a program where some of its predicates are 
open (their implementation is not known, but they fulfill some given axiomatic 
properties) . 



Second- Order Representation. Higher-order terms are normally difficult to 
deal with, since higher-order unification is undecidable HD and there is no most 
general unifier. To handle these difficulties we can either use “standard” or “spe- 
cific” second-order logic. 
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Using “Standard” Second-Order Logic. One can accept the previous difficulties 
and use, for instance, the pre-unification procedure of Huet [13]. This procedure 
performs a systematic search for determining the existence of unifiers. 

Using “standard” second-order logic has a major drawback: the lack of ex- 
pressiveness if one generalizes too much, for instance, by allowing second-order 
variables to represent entire clauses. 

Using “Specific” Second-Order Logic. One can also restrict oneself to a sub- 
set of higher-order terms which is tractable. Higher-order patterns form such 
a subset of higher-order terms which was investigated among others by Nip- 
kow PI- Higher-order patterns unification is decidable and there exists a most 
general unifier of unifiable terms. Another alternative is to use decidable sub- 
cases of higher-order unification without changing the language (for instance 
second-order matching P) if the problem permits it. 

Using “specific” second-order logic does not necessarily mean using a subset 
of second-order logic. One can also extend second-order logic by introducing new 
features. 

Our choice. In this paper, schemas are formalized using a second-order logic. 
The basis of the language is a subset of classical second-order logic. We also 
extend the language by first introducing specific features of program schemas, 
and by introducing constraints in the language. 

The resulting language, described in the next sections, offers a powerful for- 
malization of program schemas. The introduction of constraints enhances the 
expressiveness of the language and guides the semi-unification process. 

In this language, the schema S of example Qwould be written as schema S'\ 

Example 3. Schema S'\ 

R(T1,Y) ^ Min(_E), 

Solve(Y). 

R( Jvf,Y) ^ NMin(_N), 

Decompose ( _N , _Head , _Tail) , 

R(_Tail,_Tail2), 

Compose(_Tail2,_Head,_Res), 

Y=_Res. 

The substitution 0, solution of S' 9 — P, is: 

{ R/reverse, Sol ve/empty list, _E/X, _N/X, Min/emptylist, NMin/nonempty, 
Decompose/declist, _Head/H, _Tail/T, _Tail2/T2, Compose/concat, _Res/Y2 }. 
See Sects. El and 0 for details. 

We now give a more elaborated example illustrating various aspects of such 
schemas. 
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Example 4- 

P([],&i) ^ Gi. 

P([.P|_T],&2) ^ < Q{-H) », P{-T,k3), G 2 . 

In this schema, &i, &2 and &3 denote three sequences of terms, Gi and G 2 
denote an atom and the annotation means that Q{-H) is optional. Possible 
global constraints on this schema are: 

1. length_eq(&i, P) A length_eq(& 2 , P) A length_eq(& 3 , P), which means that 

the instances of &i, &2 and &3 must have the same length, 

2. variable(_P) A variable(_T): _P and _T instances are first-order variables. 

1.2 Related Work 

Miller, Nadathur m present AProlog which is a higher-order extension of Pro- 
log manipulating objects such as function and predicate variables, formulas and 
programs. Unification in AProlog is based on second-order unification. The pre- 
unification procedure of Huet is used to handle the second-order unification un- 
decidability. 

There is a major difference between AProlog and our schema language. Their 
goals are different. AProlog is a logic programming language in the same way 
Prolog is. It is aimed at computing some results from some program. Our purpose 
is not to execute program schemas, but to provide a powerful and expressive 
representation language for program schemas. 

Kraan et al. m synthesize logic programs as a by-product of the planning 
of their verification proofs. This is achieved by using higher-order meta- variables 
at the proof planning level, which become instantiated in the course of planning. 
These higher-order variables can represent functions and predicates applied to 
bound variables. The formulas containing them are higher-order patterns. 

Hannan, Miller m present source-to-source program transformers as meta- 
programs that manipulate programs as objects. They show how simple trans- 
formers can be used to specify more sophisticated transformers. They use the 
pre-unification algorithm of Huet. 

Gegg-Harrison 0 proposes a hierarchy of fourteen logic program schemas 
which are second-order logic expressions and generalize classes of programs in 
the most specific generalization (msg) sense. In 0, he defines logic program 
schemas with the help of AProlog to avoid using any meta-language. In [10], 
he extends these AProlog program schemas by applying standard programming 
techniques, introducing additional arguments and combining existing schemas. 

Flener, Deville ^ show that some logic program generalization techniques 
can be pre-compiled at the program schema level so that the corresponding 
transformation can be fully automated. They also use second-order matching 
implicitly. 

Flener P] defines a logic algorithm schema as: VXi...VX„ R{Xi...Xn) <tA F. 
This is a second-order form of Kraan’s specification m- \/args.prog{args) ^ 
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spec(args). The author presents semantic constraints on instances of place- 
holders. In particular, he details constraints on the divide-and-conquer schema. 
For the instantiation of the latter to result in valid divide-and-conquer logic 
algorithms, constraints are expressed on the induction parameter, for example. 

Huet, Lang [15] describe a program transformation method based on rewrit- 
ing rules composed of second-order schemas. Fuchs, Fromherz and Vascon- 
celos, Fuchs present schema-based transformation formalisms and tech- 

niques. Implicit second-order matching is used in these papers |inE22,23]. 

The formalism of schemas, as defined in Vasconcelos, Fuchs [22,23], allows 
one schema to describe a class of logic programs in a suitable Horn-clause no- 
tation. Vasconcelos, Fuchs introduce features adding expressiveness to schemas: 
predicate and function symbol variables, possibly empty sequences of goals or 
terms. They also introduce constraints over schemas: argument positions, argu- 
ment optionality, recursive or non-recursive predicates. In , constraints are 
part of schemas and take part of the expressiveness augmentation. 

In the paper, the formalism describing schemas is a variant of that of Vascon- 
celos, Fuchs [22Eni. But here constraints are separated from first- and second- 
order objects. 

1.3 Objectives 

Due to the extensive use of program schemas in various domains, there is a need 
for a powerful language for the description of schemas, and for operations (such as 
semi-unification) manipulating such schemas. The objective of the paper is first 
to provide a description language for schemas, where constraints are integrated, 
then to propose a semi-unification process over schemas. 

Coming from Vasconcelos, Fuchs’ work, this paper obviously stands in the 
field of program transformation, where semi-unification is useful to match second- 
order schemas and programs. That is the reason why we focus ourselves onto 
the semi-unification problem. 

Let S' be a schema, and c be the initial constraint set associated to S. Let P 
be the program with which S has to be semi-unified. 

The starting pair (S = P , c) is transformed via successive rewriting rules to 
(0 , c'). During the whole process, the successive versions of the constraint set 
remain consistent. At the end, there is a substitution 9 £ c' such that 6 satisfies 
c in S' and S9 = P. 



1.4 Contributions 

The main contributions of the paper are the following: 

1. Definition of a description language for program schemas, where constraints 
are explicitly integrated. The introduction of constraints increases the ex- 
pressive power of the language. It allows schemas to contain more knowledge. 
It also offers a guided search in the semi-unification process. 

2. Definition of an extensible first-order constraint language over schemas. 
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3. Expression of the semi-unification process over schemas as rewriting and 
reduction rules, 

4. Presentation of two semantics: one based on program instances, and the 
other on rewriting rules. 

1.5 Structure of the Paper 

Section 2 gives the syntax of schemas. It defines first- and second-order objects. 
Section 3 presents needed features of schemas and the first-order language of 
constraints. We make the distinction between global and local constraints. The 
fourth section gives the meaning of schemas relating to their instances (semantics 
1). It also defines substitution pairs. Section 5 presents the general form and 
spirit of the rewriting rules. It also presents the rewriting semantics of schemas 
(semantics 2). Finally, we conclude in Section 6 and give further research steps. 
Appendix A presents a subset of rewriting rules. Appendix B gives an example. 

2 Syntax of Schemas 

A schema contains second-order and first-order objects. In order to simplify the 
presentation, the number of clauses in a schema will be fixed, although some 
interesting schemas have a variable number of clauses. The technical results can 
easily be extended to remove this restriction. 

In our framework, no variable can represent an entire clause, but only atoms 
and sequences of atoms in a clause. This is a compromise between expressiveness 
and efficiency of the semi-unification process. We thus choose a subset of full 
second-order logic. 

2.1 Basic Components 

Basic components of programs and of schemas are first-order and second-order 
objects. First-order objects are present in schemas and in programs. Second-order 
objects only appear in schemas. 

Definition 1. A first-order object (FObject) is either a term (term), in partic- 
ular constant or variable, an atom (atom), a function symbol (fs), a predicate 
symbol (ps), a sequence of terms (seqterm) or a sequence of atoms (seqatom). 

Constants are denoted by a, 6, c ... , variables hy X,Y, Z , function symbols 
by /, g, ft. ... or particular symbols like • (list function symbol) and predicate 
symbols hy p, q, r . . . 

Definition 2. A second-order variable (SObject), also called place-holder, is 
either a term variable (Vterm), an atom variable (Vatom), a function symbol 
variable (Vfs), a predicate symbol variable (Vps), a sequence of terms variable 
(Vseqterm) or a sequence of atoms variable (Vseqatom). 

In next sections, two other place-holders, length variable (Vlength) and posi- 
tion variable (Vpos), will be introduced and their meanings explained. 
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In the following, term variables are denoted by _X, _y, JZ . . . (note the under- 
score), atom variables by Pi, P2, P3 . . . , function symbol variables by P, G, H 
. . . , predicate symbol variables by P, Q, P . . . , sequence of terms variables by 
&i, &2, &3 • • .and sequence of atoms variables by Gi, G2, G3 . . . Vlength are 
denoted by P, L2, P3 . . . and Vpos by p, pi, p2, Ps ■ ■ ■ 

2.2 Grammar of Schema 

All place-holders are implicitly universally quantified. It means that all second- 
order variables are global to the schema. Thus there is a difference betv |eCT| 
schemas and programs in which first-order variables are local to clauses. 

Definition 3. A second-order schema is defined by the grammar: 

Schema ::= SOrdCl \ SOrdCl Schema 
SOrdCl ::= SOrdP \ SOrdP ^ SOrdBody 
SOrdBody ::= SOrdP j SOrdP, SOrdBody 

SOrdP ::= Vseqatom \ Vatom \ Vps \ Vps(SOrdArg) \ atom \ ps(SOrdArg) 
SOrdArg ::= SOrdT \ SOrdT, SOrdArg 

SOrdT ::= Vseqterm \ Vterm \ Vfs \ Vfs(SOrdArg) \ term \ fs(SOrdArg) 

All terminal symbols have been defined in Section 2 . 1 . In the remaining of 
the paper, SOrdP is called second-order predicate and SOrdT second-order term. 
Characteristics of the syntax are described next. 

In a program schema (and in a logic program), a comma separating two atoms 
has the same meaning as the logic and (A) but constrains the order of atoms. 
A comma separating two terms is an argument separator which also constrains 
the order of the parameters. 

In a schema, first-order objects may co-exist with second-order objects. This 
is viewed as a partially instantiated schema. For instance: in the one-clause 
schema 

p{.X) ^ Q{Y). 

p is a predicate symbol, Q a predicate symbol variable, Y a first-order term (a 
first-order variable) and _A a second-order term variable. 

Definition 4. A program is a schema without second-order variables. More pre- 
cisely, we define Program (resp. FOrdBody, FOrdCl, FOrdP and FOrdT) as be- 
ing Schema (resp. SOrdBody, SOrdCl, SOrdP and SOrdT) without second-order 
variables. 

Programs are thus classical Horn clause programs (without extra logical fea- 
tures such as cuts). Schemas and programs do not contain negations in the body 
of clauses. This syntactical restriction can easily be removed without affecting 
the complexity of our results. 
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Example 5. Complete example. 

Let the schema S be: 

P([],&i) ^ Gi. 

p([_g|_r],fc2) ^ G2 , p(-T,&3), G 3. 
where 

1. P is a predicate symbol variable (Vps) 

2. &i, &2 and &3 are variables of sequence of terms (Vseqterm) 

3. Gi, G2 and G3 are variables of sequence of atoms (Vseqatom) 

4. and JT are term variables (Vterm) 

Let the program Prog be: 
sum([ ],0). 

sum([x|Xs], S') ^ sum(Xs,SXs), S is X + SXs- 



S is semi-unified with Prog {S.9 = Prog) if 9={ P/sum, &1/O, &2/S, ks/SXg, 
.H/X, .T/X,, Gi/0, G2/0, G3/S is X + SX, } 

3 Constraints Language 

In our framework, a schema is not a classical second-order object. It needs in- 
corporating features essential to the objectives of program representation and 
manipulation. 

1. Term positions among arguments of predicates and functions, 

2. Representation of possibly empty sequences of atoms, 

3. Representation of possibly empty sequences of terms, 

4. Argument length constraints, 

5. Instantiation form constraints (constant, ground, var . . . ), 

6. Optional atoms and terms, 

7. Interchangeability of predicate and function parameters. 

Most of these features are already present in I22E31. 

Restrictions. 

1. Although the above characteristics are syntactical, semantic constraints on 
place-holders, such as defined in 0, could also be considered. Such con- 
straints are useful to instantiate schemas into valid programs. However we 
do not consider such constraints in this paper. These could easily be included 
in the framework. 

2. Interchangeability of clauses and predicates in bodies of clauses is not con- 
sidered here. Such a reordering can be performed at the program level, as in 
the Mercury language 123. 
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In order to express such constraints on program schema, a first-order con- 
straint language is now defined. It is necessary and useful in the context of 
program schema and program synthesis/transformation. Constraints are defined 
on schema place-holders. Some are global to the whole schema and others are 
local to occurrences of place-holders. Constraints on a schema will restrict the 
possible instantiations of the schemas to instances satisfying the constraints. The 
following set of constraints are extensible. 



3.1 Global Constraints 

Global constraints handle forms and lengths of instances of second-order vari- 
ables. In our framework, an instantiation of a second-order variable is also a 
global constraint. 

1. Form Constraints. Term variable instances can be constrained to be constant, 
variable or ground, and atom variable instances to be ground. Possible form 
constraint predicates are: constant(-X) , ground(-X) and var(-X) for terms 
and ground(Pk) for atoms. 

2. Length Constraints. Global constraints can also apply on the length of the 
instances of sequence of terms (resp. atoms) variables, i.e. on the number of 
terms (resp. atoms) in Vseqterm (resp. Vseqatom) instances. Length con- 
straint predicates are: length_eq {X, L), length_geq {X, L) and lengthJeq {X, 
L). Length constraints include hard constraints (length is compared to an 
integer) and soft constraints (length is compared to a variable). Variables 
constraining the lengths of sequence of terms and atoms variable instances 
are called Vlength variables and will have to be instantiated to integers. 

3. Clobal Constraint Combinators. Form and length constraints can be linked 
by constraint combinators: A (logic and), V (logic or) and ^ (logic not). 

Example 6. Term variable instance constrained to be either a constant or 
a variable: constant(_X) V var(_V) ; two Vseqterm variables instances con- 
strained to have equal lengths: length_eq(&i, L) A length_eq(& 2 , L). 

We choose an untyped second-order representation. Notice that types could 
be introduced at the constraint level (global constraints). 



3.2 Local Constraints 

Local constraints relate to positions of parameters, interchangeability of groups 
of parameters, and locally empty place-holder instances. 

1. Position Constraint. The position constraint applies to second-order pred- 
icates and terms, except sequence variables (Vseqatom and Vseqterm). A 
position constraint is denoted by followed by an integer (hard constraint) 
or a position variable (soft constraint) which will have to be instantiated to 
integers. 
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Example 1. In the partial schema “P(&i, Q(& 2 , -Y, & 3 , -Z^p, & 4 )”, 

the instances of -X and -Z must have the same positions among the param- 
eters of P and Q predicate instances. 

2. Interchangeability of Parameters. Interchangeability constraints are defined 
via unordered groups, denoted by ©( . . . ). This introduces the commutativity 
of predicate and function parameters in schemas. Inside unordered groups, 
only second-order terms may appear. In such groups, second-order terms 
order is not fixed. It is only at the instance level that the parameters have 
fixed positions. 

Example 8. According to the schema part “P(©(&i, _A, & 2 ))”, any instance 
of ©(&!, _A, & 2 ) in P will be a permutation of instances of &i, _A and & 2 - 

3. Optional Objects. Optional arguments and atoms are denoted by: <C A 
Option constraints apply to second-order predicates and terms. 

Example 9. According to the schema part “P(&i,<C -X :^,& 2 )”, the in- 
stance of ^ _A ^ in P is either the instance of _A itself or 0. 



Example 10. Complete example. 

Over the following schema: 

P([],&i) ^ Gi. 

P([_g|_r],fc2) ^ < Q{-H) >, P(_r,fc3), 02. 

a local constraint (optional object) is defined: <C Q{-H) Other global con- 
straints could be defined: 

1. length_eq(&i, P) A length_eq(& 2 , P) A length_eq(& 3 , P) which means that 
all &i (1 < i < 3) instances must be of same length, 

2. variable(_ff) A variable(_T): and _T instances are first-order variables, 

3. length_eq(Gi, 0) which means that Gi instance must be of length equal to 0. 

We can easily extend the set of constraints by adding new constraint predi- 
cates. For example, we could use the following predicate to mean that G 2 does 
not contain predicate P: not_in(G 2 , P). 

From the examples of this section, one can easily see the expressiveness of 
the proposed constraint language. It allows the description of schemas to contain 
knowledge. It also allows a single schema to represent what would require several 
schemas using other representation schemes. The extensibility of the constraint 
part of the language is an advantage. One can add new constraints depending 
of the specific use of the schemas (program transformation, program synthesis 
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4 Meaning of Schemas 

In this section, we introduce the semantics of schemas. The semantics of program 
schemas can be defined in different ways. The first semantics defines the meaning 
of a schema as the set of all its possible instances which respect the constraints. 
This is close to the idea that a schema “represents” a class of programs. With 
this representational semantics of schemas, one can then choose any semantics 
at the program level. A second, constructive, semantics will be presented in 
Section 1.1 ..'ll 

Definition 5. A schema is a pair {S, c) , where S is a program schema annotated 
with local constraints, and c is a set of global constraints. 

4.1 Substitutions 

Definition 6. A substitution pair (SP) is a pair SObject/FObject of type: 
Vterm/term, Vfs/fs, Vseqterm/seqterm, Vatom/atom, Vps/ps, Vseqatom/ se- 
qatom, Vlength/integer or Vpos/integer. Since sequence of terms and atom vari- 
ables may instantiate to the empty sequence ( denoted 0 ), the pairs Vseqterm/tb 
and Vseqatom/tb are allowed. 

In our approach, substitution pairs themselves are viewed as global con- 
straints on schema place-holders. 

Definition 7. A substitution is a finite set of substitution pairs Si/pi, i.e. a= 
{ Si/ Pi I 1 < i < n} with the property that Vi, j < n : Si = sj ^ i = j . 



Example 11. 

Vterm/term: _X/sum{X,Y,Z), 

Vseqterm/seqterm: ki/ f{X), g{Y), 

Vfs/fs: F/sum, 

Vseqatom/seqatom: G\/ father{X, Y),husband{X, Z), 
Vps/ps: P/ father. 



Definition 8. The application of a substitution <J={ Si/pi | 1 < f < n} to 
a schema S , denoted Sa, is obtained by the simultaneous replacement of all 
occurrences of Si by pi in S. 

4.2 Satisfaction of Constraints 

Let us first make precise the concept of a substitution 9 satisfying a global cons- 
traint c. We consider the different form of the constraint c : 

1. constant{-X) is true iff -X9 is a constant, 

2. ground{_X) is true iff -X9 is ground, 

3. var{_X) is true iff -X9 is a variable. 
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4. length_eq{X, L) {length_geq{X , L), lengthJeq{X, L)) is true iff X9 has length 
equal (greater than or equal, less than or equal) to L. 

This extends easily to constraint combinators. 

The satisfaction of the local position constraint is now defined. Let -X^fp 
be a position constraint occurring in a subformula F{. . . -X^p . . .) of a schema 
S. A substitution 9 satisfies this position constraint in S iff, in S9, the above 
subformula is instantiated to /(ei, . . . , ek-i,t^k, Ck+i, ■ • ■ , e„) for some terms 
ei, . . . , e„ , and some predicate or function symbol / (_A is instantiated to some 
term t, and p to the integer k) . 

The definitions of satisfaction for the other local constraints can be defined 
similarly. 

Definition 9. Let {S, c) he a schema and 9 a substitution. 9 satisfies the con- 
straints of (S', c) iff 9 satisfies c, and 9 satisfies the local constraints in S. 

4.3 Schema Instances 

We are now in position to define the first semantics. The semantics of the schema 
(S, c), denoted by |S, c]i, is defined by means of all its possible program in- 
stances. 

Definition 10. P is an instance of schema (S, c), denoted by P G |S, c]i, iff 
there exists a substitution 9 such that P ~ S9, and 9 satisfies the constraints of 
{S,c). 

P ~ S9 means P = S9 after elimination in S9 of the syntactic constructs 
attached to schemas by the local constraints (©( ), # and <C 1^). 

Example 12. Schema S: Q(_A#1,<C -Y 1^) with c = 0 ; program P: q{X,Y). 
Then the substitution 9 is: 9={ Q/q, -XfX, .Y/Y }. We have P = q{X,Y) ~ 
g(X#l,< Y>) = S9. 

The semi-unification process is not deterministic. If P € [S', c]i, there could 
exist different substitutions 9i and 02 such that P ~ S9i and P ~ 392. 

Example 13. 

Schema S\ P{-X) ^ G\,Q{-X),G 2 with c = 0 
Program P: p{X) ^ qffX),q 2 {X) 

The two substitutions 0i={ P/p, -X/X, Gi/qffX), Q/q 2 , G 2/0 } and 02={ P/p, 
-X/X, Gi/0, Q/qi, G 2 lq 2 {X) } are such that P ~ S9\ and P ~ 392. 

5 Rewriting Rules 

We present here a more constructive semantics, based on rewriting rules. This 
semantics will allow an implementation of a semi-unification algorithm. 
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5.1 Form of Equations 

An equation Eq appearing in a rewriting rule is an equation (or a set of equa- 
tions) of type a=j3 where: 

1. a and [3 are respectively second-order (Schema, SOrdBody, SOrCl, SOrdP, 
SOrdT) and first-order (Program, FOrdBody, FOrCl, FOrdP, FOrdT) ex- 
pressions: for example, P([_iJ|_T]), & 2 ) = islist{[T\Q]), 

2. or a is a [sequence of atoms] variable (Vseqatom) and /3 is a sequence of 
second-order predicates without Vseqatom: for example, G\ = Pi,P 2 ,Ps, 

3. or a is a [sequence of terms] variable (Vseqterm) and /3 is a sequence of 
second-order terms without Vseqterm: for example, &i = -Ti, -T 2 , -T^. 

5.2 Starting Point 

Let {S, c) be a schema to semi-unify with a program P. The associated constraint 
set is c. It is composed of global constraints and substitutions considered as global 
constraints in this framework. 

The starting point is: {Eq , c) with equation Eq = S = P. 

5.3 Form of Rewriting Rules 

Rewriting rules handle the semi-unification process as well as constraint satis- 
faction. During the process, global constraints can be deleted from and added 
to the constraint set c. Substitutions, considered as global constraints, are also 
added to c. 

Rewriting rules are of two different forms: 

Applicability condition 
{Eq , c) I — > failure 

Applicability condition 
{Eq , c) I — > {Eq' , c') 

We also keep the invariant that, in a pair {Eq, c), c is satisfiable in Eq. Otherwise, 
this leads to failure. We thus have the rewriting rule: 

unsatisfiable(i?q, c) 

{Eq , c) I — > failure 

In addition to the applicability condition of each rewriting rule, it is assumed 
that the following invariant holds: 

satisfiable(i?( 7 , c) 

{Eq , c) I — > {Eq' , c') 

Finally, in the following, “[egi], [eq 2 ] ■ ■ ■ [eqi] • Eq” means “the set of equations 
composed of Eq U { eqi , eq 2 ... eqi }” . 

Appendix A presents some representative rewriting rules. 
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5.4 Final Point 

The process can fail or succeed: 

1. failure: {S = P , c) i — failure 

2. success: {S = P , c) i — (0 , c') 

where i — >* is the transitive closure of i — >, the rewriting symbol. 



5.5 Rewriting Semantics 

Now we define the semantics of a schema according to the rewriting rules. The 
semantics of a schema (S', c), denoted by |S, c] 2 , is defined as follows. 

Definition 11. P is an instance of schema (S, c), denoted by P G |S, c] 2 , ijf 
there exists a constraint set d such that {S = P , c) i — (0 , d). 

Obviously, the semantics |S, c]i and |S, c ]2 should be equivalent. The formal 
proof will not be developed in this paper. Let S be a schema, P a program. 

Definition 12. Existence of substitution: 
if (S = P , c) (0 , d) 
and 0 is the set of all substitution pairs of d 
then 9 is a substitution. 

9 is called the complete substitution of d . 



Conjecture 1 Soundness of |S, c ]2 wrt. |S, c]i: 

if (S = P , c) (0 , d) 

and 9 is the complete substitution of d 

then S9 ~ P and 9 satisfies (S, c). 



Conjecture 2 Completeness of |S, c ]2 wrt. |S, c]i: 
if p e IS, cli 
then P e |S, c] 2 . 

As the semi-unification process is not deterministic, some of the rewriting 
rules are non-deterministic (see Appendix A). In general, the semi-unification 
process in second-order logic is known to be decidable, but NP-complete [7]. 
Although our language is a subset of second-order logic (with some extensions), 
the potential exponential complexity is still present. However, the active use 
of constraints in the semi-unification offers a more efficient search for a correct 
solution. 
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6 Conclusion 

In this paper, we proposed a language for the description of program schemas. 
This language is based on a subset of second-order logic enhanced with con- 
straints and specific features of program schemas. The constraint language is 
extensible and permits the possible introduction of domain knowledge for the 
schemas. We then expressed the semi-unification process over schemas as rewrit- 
ing and reduction rules, using CLP techniques, where constraints are used to 
guide the semi-unification process. Appendix A shows some of these rewriting 
and reduction rules. Two semantics were also presented. The first semantics is 
based on program instances and the second on the rewriting rules. 

Further Research Steps. A first step will be the theoretical and practical analysis 
of the complexity of the semi-unification algorithm. We are also interested in 
the use of schemas in program synthesis. Starting from a schema and a set 
of constraints on its schema place-holders, the objective is the synthesis of a 
program. The synthesis is guided by successive additions of constraints. The 
initial schema becomes more and more instantiated until the program level is 
reached. The constraints used to instantiate the successive schema versions come 
from heuristics, specifications and user demands. This will require the extension 
of syntactical constraints to semantic constraints. 

This problem does not handle equations as defined in the paper, but only 
partially instantiated schemas (left-side of current equations) . Let S be the initial 
schema, c the associated constraint set. We construct the program P by means 
of a derivation: 

(S,c)^ {Si , Cl) ^ (A2 , C2) ^ . . . ^ (P , c„). 

At each step i of this derivation, new constraints can be added to the resulting 
set of constraints Cj (0 < i < n) to guide the synthesis process. 
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A Rewriting Rules Examples 

We only present here a subset of the rewriting rules. We focus on the most 
significant ones. The set of rewriting rules contains the classical rules for first- 
order unification [18]. 



A.l Constraints 

Interchangeability of Parameters Rule (Non-deterministic) . 

Xi. . ,X„ G SOrdT, X is one of the n! permutations of Ai. . .A„, t G seqterm, 

A and B are sequences of SOrdT 

{[A,Q{Xi...Xr,),B = t]»Eq, a) ^ {[A,X,B = Eq , a) 

Length Constraints Rules. 

Hard Length Constraints Rule. Hard length constraint rewriting rules are pre- 
sented for the length_eq predicate constraint. The first rule is about constraint 
on Vseqatom , and the second, on Vseqterm. 

Gk G Vseqatom, i G IN 

{Eq , crU {length.eq{Gk,i)}) ' — > {[Gk = Pi . . . Pi] • Eq{Gk/P\ ■■■Pi} , cr) 

where P\ ■ ■ ■ Pi are brand-new Vatom variables 
&fc G Vseqterm, i G IN 

{Eq , cr U {length.eq{Szk,i)}) ' — > ([&fc = -Pi Pi] • Eq{k,k/-Ti P*} , cr) 

where _Ti . . . _Ti are brand-new Vterm variables 

Soft Length Constraints Rule (Non-Deterministic). Soft length constraint rewri- 
ting rules are presented for the length_eq predicate constraint on Vseqatom. The 
Vseqterm case is similarly expressed. The rule is non-deterministic because j 
can be chosen between 0 and n (if j = 0, Gk = ^). 

Gk G Vseqatom, pi . . .p„ G atom, L G Vlength, 0 < j < n, 

A and B are sequences of SOrdP 

{[A, Gfc, P = Pi . . .p„] • Pg , CT U {lengthjeq{Gk, L)}) 

^ {[Gk = Pi . . . P,], [A Pi ■ • ■ Pi, P = Pi • • -Pn] • Eq{Gk/Pi ■ . . Pj} , 

where Pi . . . Pj are brand-new Vatom variables 



Hard Position Constraint Rules. 

X G SOrdP, X\ ■ ■ ■ Xj, Yi . . . Yfc G SOrdP, pi . . .p„ G atom, 1 < i < n 
([Vi . ■■Xj,X#i,Yi ■■■Yk=pi.. .pn] •Eq,a) 

I — > ([Vi ...Xj =pi.. .Pi-i], [X = Pi], [Yi...Yk= Pi+i ■■■p„]u Eq , cr) 
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X G SOrdP, Xi . . . Xj, Yi . . . Yfc G SOrdP, pi . . .pn G atom, i < 0 or i > n 
{[Xi . . . Xj, X#i, Yi...Yk=pi...pn]»Eq, cr) i — > failure 

Similar rules are for SOrdT. 



Optional Objects Rule (Non-deterministic). 

X G SOrdP (resp. SOrdT), x G seqatom (resp. seqterm), 

A and B are sequences of SOrdP (resp. SOrdT) 

([A, -4: X B = x] • Eq , a) i — > ([A, X,B = x]» Eq , a) 

X G SOrdP (resp. SOrdT), x G seqatom (resp. seqterm), 

A and B are sequences of SOrdP (resp. SOrdT) 

([A, X B = x] • Eq , a) i — > ([A, B = x] • Eq , a) 

A. 2 Others 

Vseqatom Rewriting Rule (Non-deterministic). 

Here we show the rewriting rules for the case of unconstrained Vseqatom. 

Gk G Vseqatom, pi. . .pn G atom, 0 < j < n, A and B are sequences of SOrdP 
{[A,Gk,B = Pi . . ,pn]» Eq , a) 

^ {[Gk = Pi... Pj], [A,Pi...Pj,B = pi.. .p„] . Eq{Gk/Pi . . . Pj} , a) 
where P\ . . . Pj are brand-new Vatom variables 

A Decomposition Rule. 

Here is an example of a decomposition rule applying on terms. Another similar 
rule applies on atoms. Failure rules are also needed if the numbers of the left-side 
and right-side arguments are not the same. 

Ti . . . T„ G SOrdT and T\ without option and position constraint, 
ti . . .tm € term, 

([Ti . . .Tn = ti . . .tm]» Eq , a) 

I — > ([Ti = ti], [T 2 ■ ■ - Tn = t 2 . ■ - tm] • Eq , a) 

T\ . . .Tn G SOrdT and T\ without option and position constraint 
([Ti . . . T„ = 0] • ifq , a) I — > failure 

ti . . .tm G term 

([0 = ti . . . tm] • Eq , a) I — > failure 



Second-Order Substitution Rule. 

X G SObject, x G FObject U { 0 } 

([A = x]» Eq , cr) I — > {Eq{X/x} , a U {X/x}) 
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First-Order Checking Rules. 

X G FObject U { 0 } 

([x = x]u Eq, cr) I — > {Eg , a) 

xi, X2 G FObject U { 0 }, xi ^ X2 
([xi = X2] • Eg , cr) I — > failure 

B Working Example 

Let the following schema {S,c), with 



Schema S: P([],&i) ^ Gi. 

P([-g|-T],fc2) ^ G2, P{-T,k 3 ), G3. 



and global constraints 



c={ length_eq(&i, L), length_eq(&2, L), length_eq(&3, L) } 



be semi-unified with the program P: 



Program P: islist([ ]). 

islist([ T\Q ]) ^ islist(( 5 ). 



As a first step, starting from {S = P, c), a previously undescribed rewriting rule 
derives the following set of equations: 

( P(D,&i) = islist([ ]), 

Gi = 0, 

F([_iF|.T],&2) =islist([T|Q]), 

G2, P(_T,&3), G3 = islist(( 5 ), 

C 

For clarity, we will handle the four equations separately now: 

1 . First equation: P([],&i) = islist([ ]) 

— > by an undescribed rewriting rule instantiating predicate symbol variable 
P to predicate symbol islist: 

([],&! = [], 

{ P/islist, length_eq(&i,P), length_eq(&2,P), length_eq(&3,P) } ) 

^ by the non-deterministic rule A.l (soft length constraint rule): 

(&i = 0, 

[],0 = [], 

{ P/islist, length_eq(&2,0), length_eq(&3,0) } ) 

Remark: if another branch of this non-deterministic rule is followed, the pro- 
cess fails. For example: ( &i=_Ti ; [ ], _Ti = [ ] ; { P/islist, length_eq(&2,l)) 
length_eq(&3,l) } ) ^ by rule A. 2 (decomposition rule): ( &i = _Ti, [ ] = 
[ ], _Ti = 0 , { P/islist, length_eq(&2,l)) length_eq(&3,l) } ) ^ by rule A. 2 
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again: failure due to _Ti = 0. In the remaining of the example, we shall 
follow success branches only. 

^ by rule A. 2 (second-order substitution): 

([],0 = [], 

{ P/islist, length_eq(&2,0), length_eq(&3,0), &i/0 } ) 

^ by rule A. 2 (decomposition rule): 

([] = [], 

0 = 0 , 

{ F/islist, length_eq(&2,0), length_eq(&3,0), &i/0 } ) 

^ by rule A. 2 (first-order checking): success 
(0, 

{ F/islist, length_eq(&2,0), length_eq(&3,0), &i/0 } ) 

2. Second equation: Gi = 0 

— > from the result of the first equation and by rule A. 2 (second-order sub- 
stitution): success 

(0, 

{ F/islist, length_eq(&2,0), length_eq(&3,0), &i/0, Gi/0 } ) 

3. Third equation: F([_iJ|_T], &2) = islist([ T\Q ]) 

— > from the result of the previous equations: 

( islist([ ], &2 ) = islist([ T\Q ]), 

{ F/islist, length_eq(&2,0), length_eq(&3,0), &i/0, Gi/0 } ) 

— > by an undescribed rewriting rule checking predicate symbols (islist): 
([.F|_T],&2 = [T|Q], 

{ F/islist, length_eq(&2,0), length_eq(&3,0), &i/0, Gi/0 } ) 

— > by the rule A.l (hard length constraint rule): 

( &2=0, 

[ _F|_T ] = [T\Q ], 

{ F/islist, length_eq(&3,0), &i/0, Gi/0 } ) 

^ by a variant of rule A. 2 (second-order substitution): success 

( 0 , 

{ F/islist, length_eq(&3,0), &i/0, Gi/0, &2/0, -H/T, .T/Q } ) 

4. Fourth equation: G 2 , F(_T, & 3 ), G 3 = islist((5) 

— > from the result of the previous equations: 

( G2, islist((5, &3), G3 = islist(Q), 

{ F/islist, length_eq(&3,0), &i/0, Gi/0, &2/0, -H/T, .T/Q}) 
by the non-deterministic rule A. 2 (Vseqatom rewriting rule): 

( G 2 = 0, 

G3 = 0, 

islist((5, &s) = islist((5), 

{ F/islist, length_eq(&3,0), &i/0, Gi/0, &2/0, -H/T, .T/Q } ) 
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^ by rule A . 2 (second-order substitution): 

( islist((5, &3) = islist((5), 

{ P/islist, length_eq(&3,0), &i/ 0 , Gi/ 0 , &2/0, -H/T, -T/Q, 

G2/0, G3/0 } ) 

^ by an undescribed rule checking predicate symbols: 

( Q, &3 = Q, 

{ P/islist, length_eq(&3,0), &i/ 0 , Gi/ 0 , &2/0, -H/T, -T/Q, 

G2/0, G3/0 } ) 

^ by same rewriting rules as before: success 

( 0 , 

{ P/islist, &1/0, Gi/ 0 , &2/0, &3/0, _T/Q, G2/0, G3/0 } ) 

At the end of the resolution we have: ( 0 ;cr), with a={ P/islist, &i/ 0 , &2/0, 
&3/0, -H/T, -T/Q, Gi/ 0 , G2/0, G3/0 }. From this constraint set, we derive the 
complete substitution which is a itself. We have that S a ~ P. 

In this complete example, 14 rewriting rules have been applied to find the 
substitution. For failure branches of the non-deterministic rules to be explored 
until failure, 10 extra rewriting rules have also to be applied. 
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Abstract. Synthesis of logic programs is considered as a special in- 
stance of logic programming. We describe experience made within a log- 
ical metaprogramming environment whose central component is a re- 
versible metainterpreter, in the sense that it is equally well suited for 
generating object programs as well as for executing them. Requirements 
telling that certain goals should be provable in a program sought can be 
integrated with additional sideconditions expressed by the developer at 
the metalevel, and the resulting specihcations tend to be quite concise 
and declarative. For problems up to a certain degree of complexity, this 
provides a mode of working characterized by experimentation and an 
ability to combine different methods which is uncommon in most other 
systems for program synthesis. Reversibility in the metainterpreter is 
obtained using constraint logic techniques. 



1 Introduction 

The synthesis of a logic program is usually understood as a constructive pro- 
cess starting from a more or less complete logical specification and/or examples 
of what belongs (or not belongs) to the desired relation. This may be guided 
by the developer’s growing understanding of the task or by heuristics built in 
to automatic or semiautomatic tools. This process can be performed on logic 
specifications, gradually being transformed into the subset consisting of efficient 
logic programs, or on other mathematical structures such as proofs from which 
programs can be extracted. 

In this paper, we propose a slight shift which is more along the line of logic 
programming in general. The logic programmer tends to state requirements to 
the result he wants rather than concentrating on the procedure or process that 
leads to this result. In program synthesis, the desired result is a program — as 
opposed to, say, a sorted or reversed list. 

We describe a metaprogramming environment whose central component is a 
reversible ‘demo’ predicate. This is a binary proof predicate parameterized by 
representations of object program and query, reversibility means that it can be 
used, not only for executing object programs, but also for generating them. By 
means of ‘demo’, the program developer (i.e., the metaprogrammer) can state 
semantic requirements to the program sought of the form “this and this must 



Norbert E. Fuchs (Ed.): LOPSTR’97, LNCS 1463, pp. QO-LLLUI 1998. 
© Springer- Verlag Berlin Heidelberg 1998 



Implicit Program Synthesis by a Reversible Metainterpreter 



91 



be provable” or not provable”. This can be combined with syntactic require- 
ments concerning which predicates, control patterns, etc. that are allowed, and 
perhaps other calls to demo that express integrity constraints or similar things. 
As in logic programming in general, we expect the underlying interpreter to 
come up with solutions (here: programs) that satisfy the different requirements. 

The possible success of such an approach depends on to what extent the 
available linguistic means make it possible to express “in a natural way” re- 
quirements that effectively delineate a class of interesting programs. We will 
show examples developed in our system and especially for simple abduction and 
induction tasks the approach looks promising, the definitions of such tasks being 
surprisingly concise and readable. The most interesting observation is, perhaps, 
to see how declarative specifications can be re-used in order to express different 
ways of reasoning. It appears also that the experimental mode of working, for 
which logic programming is appreciated (by some developers, at least) is pre- 
served, by continually enhancing and testing a specification. For the synthesis 
of recursive programs, we cannot present similar experience and we will discuss 
possible extensions of our approach in the final section. 

It is obvious to us that the sort of technology we present only can develop into 
a complement to “explicit” techniques based on program transformations. There 
are knowledge and heuristics needed for complex and realistic programming tasks 
which best can be described — if it can be described at all — by means of 
transformation techniques. This is quite analogous to the fact that declarative 
programming never completely can rule out procedural programming. 

In the rest of this introduction we give an overview of the approach and a compar- 
ison with related work. Section 2 describes the principles behind our constraint- 
based implementation of ‘demo’ and section 3 sketches the features of the im- 
plemented system that we will refer to as the Demo system. Section 4 shows 
examples of program synthesis developed in this system, one giving a combina- 
tion of default reasoning with abduction and induction, and a natural language 
analysis based on abduction in a way that would be difficult to fit into other 
systems for abduction. Section 5 discusses possible improvements to make it pos- 
sible to approach more complex problems. The Demo system is available on the 
World Wide Web at the address http://www.dat.ruc.dk/software/demo.html. 



1.1 A Brief Overview 

An approach to program synthesis has an object language in which the resulting 
programs appear, in our case positive Horn clause programs. We represent object 
programs and fragments thereof as ground terms in a metalanguage which basi- 
cally is Prolog extended with various metaprogramming facilities, most notably 
the ‘demo’ predicate. For any phrase P of the object language, the notation [ P] 
will stand for the term in the metalanguage designated as the name of P. The 
‘demo’ predicate is a formalization of the usual notion of provability embedded 
in a logic program interpreter; we can specify it as follows. 
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demo([P], [Q]) iff P and Q are object program and query such that 
there exists substitution a with 
Ph Qcr 

A metavariable, say X, placed in the first argument will thus stand for a piece 
of program text, and a logically satisfactory implementation will produce pro- 
gram fragments which make Q provable. By means of additional side-conditions, 
‘demo’ can be instructed to produce programs within a certain class as illustrated 
by the following pattern. 



useful(A) A demo(- •• A •••,•• •) 

The ‘useful’ predicate may specify syntactic requirements perhaps extended with 
additional calls to ‘demo’. In this way, a choice of ‘useful’ can define a reasoning 
method, e.g., abduction or a class of inductive problems, and the remaining parts 
of the arguments to demo set up the specific problem to be solved. 



1.2 The Need for Constraints and Delays 

It can be argued that a direct implementation of in “classical” Prolog, with its 
top-down computation rule, is insufficient in order to provide the reversibility 
in the ‘demo’ predicate that we have assumed. The problem is that the space 
of solutions to a call to ‘demo’ — or the subgoals we can expect inside ‘demo’ 
— typically is infinite in such a way that no finite set of terms will cover it 
by subsumption. This implies that a failure in the computation easily can pro- 
voke a generate-and-test-forever loop. In addition, all known implementations in 
Prolog of ‘demo’ (i.e., those parameterized by a detailed representation of the 
object program) include tests which, depending on the underlying interpreter, 
will lead to either floundering or unsound behaviour in case of an uninstantiated 
metavariable standing for a part of the program being interpreted. An obvious 
way to get around this problem is to use constraint logic. We have used a well 
known program structure for implementing ‘demo’, but with the primitive opera- 
tions implemented as constraints — which means that these operations typically 
delay when called with partly instantiated arguments, and the constraint solver 
makes sure that the set of delayed constraints always is satisfiable. In section 2 
we describe our constraint-based implementation; the constraint solver can be 
found in the appendix. 

A similar argument can be made for the additional sideconditions depicted 
as the ‘useful’ predicate above. However, it is a quite difficult task to write a 
constraint solver and luckily, as it will appear in our examples, it turns out to 
be sufficient to use the sort of delay mechanisms that are available in current 
implementations of Prolog m- 

The ‘demo’ predicate was initially suggested by Kowalski in his book from 
1979 ^Sj, however, with no attention to the possibility of using it in reverse 
for program synthesis. In 1992, T. Sato pn] and Christiansen [7| published in- 
dependently different methods for obtaining this kind of reversibility in ‘demo’ 
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although these results were mostly of a theoretical interest. Apart from our own 
constraint-based implementation, we are not aware of any practically relevant, 
fully reversible versions; for more background in this topic, see [8]. 

1.3 Related Work 

For a general overview of the area of logic program synthesis, we refer to the 
present and previous proceedings of the LOPSTR workshops, and to compre- 
hensive reviews contained in two recent books iHiini . 

In order to compare our approach with other work, we emphasize the no- 
tion of program schemas. A program schema is a template which represents a 
certain class of programs, e.g., the class of divide-and-conquer programs, having 
placeholders which can be instantiated as to produce concrete programs. Such 
schemas are used in “manual” approaches to program construction, e.g., [1,17], 
and in (semi-) automatic transformation-based approaches, e.g., jl 41 1 2.5.1 .3.33]. 
A transformation can be specified in such a way that a program matching one 
schema is transformed into another, intendedly improved, program described 
by another schema. Program schemas can be understood as second-order ob- 
jects iCBEg. Other authors [bl 1 3j represent program schemas by means of so- 
called open first-order programs, open in the sense that some of the predicates 
used are unspecified. 

In our framework, the ground representation combined with metalevel predi- 
cates supplied by the user serves the purpose of program schemas. Programs are 
given by first order terms, and ordinary logical variables take the role of place- 
holders, referred to here as metavariables as they are part of a metalanguage 
and in general stand for representations of object program fragments. In [6] a 
suggestion is given for a general framework for program schemas integrated with 
constraints, quite similar to what we obtain in a logic metaprogramming setting. 

Most approaches to program synthesis, including those mentioned above, in- 
corporate some kind of strategy for controlling the application of transformation 
steps in order to provide a convergence towards an improved program. In our 
approach, which is an application of logic programming, ‘demo’ becomes a blind 
robot, which will produce in principle any program satisfying the different re- 
quirements set up by the developer. As in logic programming in general, it is 
difficult to point out a best solution to a problem, which is relevant when we are 
searching not only for a correct program but also for an efficient one. On the 
other hand, this is partly compensated by the ease with which new criteria can 
be set up. 

We also mention the work by Numao and Shimura from 1990 which seems 
to be the first suggestion for using a reversible ‘demo’ predicate for program 
synthesis. They propose a quite interesting approach, using explanation based 
learning Em for analyzing existing programs in order to re-use their inherent 
strategy for the synthesis of new programs. This can be seen as an automatic 
way to extract “program schemas” that otherwise may be difficult to formalize by 
hand. It could be interesting to take up this idea with a capable implementation 
of ‘demo’ such as our constraint-based version. 
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Inductive logic programming (ILP) is another area concerned with prob- 
lems similar to those that we approach, namely the synthesis of programs from 
samples of their intended behaviour and additional conditions about the sort 
of programs that are preferred (in ILP called “bias”); we refer to [2,31,32] for 
an overview and introduction to the most common methods. The ILP systems 
described in the literature are typically directed towards specific kinds of applica- 
tions and the techniques used are often related to those used in transformation- 
based program synthesis. Within specific areas, ILP has reported impressive 
results that we cannot match in our declarative and highly generic approach. 
On the other hand, it appears to be fairly easy in our system to adapt and com- 
bine different methods, e.g. integrating abduction in induction which also have 
been introduced in ILP methods recently 

Hamfelt and Nilsson m have proposed to use ‘demo’ together with a higher- 
order ‘fold’ operator and least-general-generalization techniques for producing re- 
cursive programs. The authors apply a multilayered structure (‘demo’ interpret- 
ing ‘demo’) as a means to get around the mentioned generate-and-test problems 
which we avoid using constraints. The advantage of using recursion operators 
such as ‘fold’ is that ‘demo’ only needs to invent non-recursive plug-in’s in order 
to define, say, the ‘append’ predicate. It is difficult to judge the generality of this 
proposal but it seems worthwhile to combine our ‘demo’ with more recent and 
thorough work by the authors pni2i| on recursion operators. 

Finally, we contrast our approach with the large-scale project presented by 
Bibel et al |E] in these proceedings, clearly heading at a methodology for pro- 
gramming in the large. We consider our Demo system as a light-weight and 
easy-to-use environment, primarily intended for experimentation and illustra- 
tive purposes in research and teaching, perhaps useful as a prototyping tool in 
larger contexts. 



2 A Constraint-Based Metainterpreter 

In this section we describe the theoretical background for our constraint-based 
implementation of ‘demo’. In a first reading of this paper, it may be recom- 
mended only to take a brief look at the first subsection and then go directly to 
the examples in section |H1 For the full account on the technical matters, including 
proofs, we refer to 



2.1 Syntax and Semantics of Object and Metalanguage 

The presence of a naming relation induces a natural classification of metalevel 
terms into different types, namely those that stand for programs, those that 
stand for clauses, etc.. We consider a class of constraint logic languages Clp(A’) 
similarly to , but here adapted for typed languages. In our case, the parameter 
X refers to some domain of constraints over terms with no interpreted function 
symbols. Each such constraint logic language is characterized by a finite set of 
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types, ^ collections of predicate, constraint and function symbols, and variables, 
each with fixed ranks/types. 

Capital letters such as X and Y are used for variables; the underline character 
is used as an anonymous variable in the sense that each occurrence of it stands 
for a variable that does not occur elsewhere. 

A program is a finite set of clauses of the form ^ 6i A . . . A with h being 
an atom, each bt an atom or a constraint, composed in the usual way respecting 
the ranks of each symbol; a query is similar to the body of a clause. Queries and 
bodies of clauses are collectively called formulas and we assume two inclusion 
operators, both denoted from atoms and from constraints into formulas; to 
simplify the notation, we leave out these operators except in a few, essential 
cases. Finally, the truth constant true is used to indicate the empty body of a 
fact. 

The meaning of the constraints in a given language is assumed given by a set 
of ground constraints referred to as satisfied constraints. We assume, for each 
type r, constraint symbols ‘=: r * r’ and ‘yf: r * r’ with the usual meanings of 
syntactic identity and non-identity. To cope with the semantics of yf constraints, 
we require, for each type r, that there exist infinitely many constant symbols 
(not necessarily of rank — > r) which can occur in a term of type r. 

We assume any substitution to be idempotent similarly to the sort of answers 
generated by Prolog and for reasons of technical simplicity, we define satisfiers 
and answer substitutions to be ground substitutions. The logical semantics is 
given in terms a proof relation defined for ground queries as follows. 

Definition 1. The proof relation for a constraint language C = Clp(A), de- 
noted h“£, between programs and ground queries is defined inductively as follows. 

~ P \~c true for any program P. 

- Whenever P has a clause with a ground instance H ^ B such that P l-£ B, 
we have P l-£ PI . 

~ Whenever P\~c A and P \~c B, we have P \~c AAB. 

- P \~c C whenever C is a satisfied constraint of X . 

A correct answer for a query Q with respect to a program P is a substitution a 
for the variables of Q such that P \~c Qo. □ 

The object language for ‘demo’ is called TLCC and consists of untyped, positive 
Horn clauses with equality and inequality constraints allowed in the body of 
clauses. The precise syntax and semantics are given by considering TLCC as a 
constraint logic language (as defined above) with only one type and no additional 
constraints. 

2.2 The Metalanguage ClwilfCC) 

The ‘demo’ predicate is programmed in a language Gh¥{TLCC) having function 
symbols that reflect the syntax of TLCC and constraints that make it possible to 
express its proof relation. CLP(7tC£) has the following types: 

^ We consider only simple types with no notion of parameterization or subtypes. 
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program, clause, formula, atom, constraint, term, substitution, substitution- 
pair. 

For each symbol / of ?fC£, Clp(?{C£) includes a function symbol '/ of arity 
and rank corresponding to the syntax of T-iC£, e.g., 

: atom * formula —> clause, 

and for each TiC£ variable, say X, a constant 'X: — > term. For any phrase P of 
TiC£, the notation [P] refers to the ground term that arises when each symbol 
/ occurring in P is replaced by ' f and we call |"P] a name for P. Formally, 
these brackets are not part of the metalanguage but will be used as syntactic 
sugar. The reverse brackets [• • -J are used inside [• • •] to indicate the presence 
of a metavariable. If, for example, Z is a metavariable of type atom, we have 

[LZJ ^ q(f(X,b))l = Z'^'T'q('f('X/b)). 

In addition, there are functions to build representations of object programs and 
substitutions, we will use Prolog’s list notation for those, and substitution pairs 
will be written (x, t) where x names an object variable and t an object term. 

For each type r G {clause, formula, atom, constraint, term}, Chp(7i.C£} has a 
constraint symbol 

instance,-: t * t * substitution. 

The type subscript will be left out when obvious from the context or when a dis- 
tinction is unnecessary. Additionally, we have the following constraint symbols. 

no-duplicates: program, 
member: clause * program 
not-member: clause * program 

Constraint satisfaction is defined by exactly the following ground constraints 
recognized as satisfied: 

- any constraint instance([Pi] , [P 2 ] , [ct] ) where Pi, P 2 are phrases of Ti.C£, a 
a TiCP substitution with Pia = P 2 , 

- any constraint of the form member(c, [. . . , c, . . .]), 

- any constraint of the form not-member (c, [ci, ..., c„]), n > 0 where c is 
different from all ci, . . . , c„, and 

- any constraint of the form no-duplicates([ci,. . ., c„]), n > 0 where all ci,. . ., c„ 
are different. 

The ‘member’ constraints, used for selecting clauses out of an object program, 
could in principle have been specified as an ordinary predicate, but in order to 
suppress the generation of different representations of the same object program, 
we need to have a detailed procedural control, which is only possible by explicit 
derivation rules. The ‘no-duplicates’ constraints are used to ensure that terms 
of type program really are names of programs; ‘not-member’ and constraints 
are used here as auxiliaries. A constraint solver for Clp{'HC£) is described in 
the appendix. 
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2.3 The Metainterpreter 

Using CLP(7tC£), we can give our constraint-based version of the so-called 
‘instance-demo’ predicate, which has been studied by several other authors re- 
cently [15,16,23,4]. 

demo(P, Q) ^ 

no-duplicates(P) A 
instance(Q, Qi, _) A 
demoi(P, Qi). 

demoi(P, [trite]) <— true. 
demoi(P, [t [A]]) ^ 

member(C, P) A instance(C, [ [AJ ^ [BJ ], _) A 
demoi(P, B). 

demoi(P, [[TiJ = [T 2 jl) ^ Ti=T 2 . 
demoi(P, [[TiJ^[T 2 jl) ^ Ti^T 2 . 
demoi(P, [[AJ A [Bj ] ) ^ 
demoi(P, A) A 
demoi(P, B). 

The t symbol is the inclusion operator of atoms into formulas that is left implicit 
in most other cases; the purpose of the ‘no-duplicates’ constraint is to impose 
our convention of programs being sets and not lists of clauses, a property which 
cannot be expressed directly with the sort of types normally used in logic pro- 
gramming. This, together with the rules of the constraint solver (see appendix) 
for ‘member’ constraints, prevents the generation of alternative presentations of 
the same program due to permutation and duplication of clauses. 

Precise statements and proofs of soundness and completeness can be found 
in 01 . We will mention here that satisfiability of instance constraints in general 
may be expected to be undecidable. More precisely, if we had used general sub- 
stitutions in our framework — and not idempotent ones, as we prefer — the 
satisfiability problem becomes equivalent to the multiple semi-unification prob- 
lem known to be undecidable m- Whether this disappears in the idempotent 
case is not known at present. However, the way the constraints are used in the 
‘demo’ program implies a number of invariant properties that ensure termination 
in constraint solving. The most important invariant is that of safeness which 
means that the sets of metavariables occurring in first arguments to instance 
constraints and those occurring in second arguments are disjoint. 



3 Outline of the Implemented Demo System 

The metalanguage Clp{HCC) has been implemented in Sicstus Prolog [36] us- 
ing its attributed variables’ library. Soundness and completeness results are pre- 
served for the constraint solver but the ‘demo’ program is interpreted directly 
by Prolog and inherits, thus, Prolog’s overall termination behaviour. 



98 



Henning Christiansen 



In the implemented system, we use actually a more detailed naming relation 
which makes it possible to implement a subtype relation, so that, e.g., constant 
is a subtype of term and atom a subtype of formula (which means that the 
inclusion operator "f becomes unnecessary). Types are implemented in Sicstus 
Prolog also as constraints, so for each type r of ChP{'HCC), there is a constraint 
T{t) satisfied for exactly all terms t of type r. These constraints are represented 
as predicates program_(-), clause_(-), atom_(-), etc., the underline character 
consistently used to distinguish constraints from a few Prolog built-in’s. 

An extended notation is provided to facilitate the use of the naming relation. 
A Prolog-like syntax is used for the object language with three different operators 
representing the naming brackets [• • •] in order to resolve ambiguity, \ is used 
for object programs and clauses, \\ for formulas, atoms and constraints, and 
\\\ for terms. So, e.g., \\p(a,X) is a way of writing the ground term which 
names the HCC atomp(a, X). A ‘?’ operator represents [•■■], so the expression 
\\p(a,?Z) stands for the name of an Ti.CC atom whose predicate is p, whose 
first argument is a and whose second argument is unspecified, indicated by the 
metavariable Z. 

The naming relation and the ‘member’ constraints have been extended to 
support a concatenation operator for programs and a notion of object program 
modules. In the following, 

demo( \ ( ml & m2 & ?P) , ...) 

ml and m2 are expected be defined as object program modules. 

We can illustrate the use of the extended syntax and program modules by 
a very simple example of abduction inspired by m- The following source file 
defines an object module called garden together with an auxiliary predicate 
called abducible. 

object_module( garden, 

S[ (grass_is_wet : - rained_last_night) , 

(grass_is_wet : - sprinkler_was_on) 

]). 

block abducible (-) . 

abducibleC \ (rained_last_night : - true) ). 
abducibleC \ (sprinkler_was_on:- true) ). 
abducibleC \ (full_moon:- true) ). 

The block directive is a Sicstus Prolog primitive which causes the abducible 
predicate to delay until its argument gets instantiated. In less trivial examples, 
the use of delays may become essential in order to prevent such auxiliary con- 
ditions from enumerating under backtracking the perhaps infinite space of their 
solutions. It should be emphasized that although the block directive is a pro- 
cedural device, it does not destroy the declarative semantics as do other control 
facilities in Prolog. 
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We can now express the abductive problem of finding a cause why grass_is_wet 
holds in the following dialogue with the system.^ 

?- abducible(WHY) , demo(\ (garden & [?WHY] ) , \\grass_is_wet) . 

WHY = \ (rained_last_night : -true) ? ; 

WHY = \ (sprinkler_was_on:-true) ? ; 

no 

The program argument to demo describes a conjunction of the garden module 
and a program consisting of one unknown clause, indicated by the metavariable 
WHY and the the system returns the possible, abducible explanations. 

Other facilities of the implemented system will be explained as they appear 
in the examples. 



4 Examples, Program Synthesis by Means of ‘Demo’ 

Here we will show two examples developed in the Demo system, the first showing 
an integration of different modes of reasoning, the second a variant of abduc- 
tion applied for a simplified natural language analysis problem. These and other 
application of Demo concerning view update, abduction in a fragment of linear 
logic, and diagnosis are described in jS| and available together with the imple- 
mented system (see WWW address in the introduction) . 

We do not consider, here, synthesis of recursive programs as we cannot 
present any convincing examples; we discuss this issue in the concluding sec- 
tion. 



4.1 Default Reasoning Combined with Abduction and Induction 

This is intended as a “working example” and we do not care about the formal 
relation to other work on default reasoning. We consider only monadic predicates 
and constants. The current system cannot handle negation so we represent a 
negative literal ^p{a) as p(a,no) and correspondingly p(a) as p(a,yes). We 
consider a default theory to be a triplet (F,D,E) where, informally, 

— F is a, set of facts, 

— D is a set of default rules of the form p(X,yes) q(X,yes); only ground 
instances of default rules that do not violate the overall consistency can be 
used in a proof, 

— Ti is a set of exception of the form p(X, no) : - g(X,yes). 

^ All examples are authentically produced in our implemented system except that 
we have retouched away explicit calls to an alternative reader that recognizes the 
extended syntax; by a more careful coding of the user interface, this could have been 
avoided anyhow. 



100 Henning Christiansen 



The notion of consistency of a program with encoded yes/no values can be for- 
malized at the metalevel in the following way; the notation \\ • • • ?Q- [?C,?YN1] 
displays an alternative syntax for atoms which makes it possible to parameter- 
ize over the predicate symbol, so here Q is a metavariable ranging over predicate 
names. 

consistent (P) 

for_all( (constant_(C) , constant_ (YNl) , constant_ (YN2) , 
demoCP, \\ (?Q-[?C,?YN1] , ?Q- [?C, ?YN2] ) ) ) , 

YN1=YN2 ) . 

The for_all construct is control device using a negation-as-failure principle^ 
to generate all solutions given by the first argument and the whole construct 
succeeds if the second argument succeeds in all cases. So the definition reads: 

A program is consistent whenever, for any predicate q and constant a, we 
do not have q(a,jes) and q(a, no) at the same time. 

We should be aware, however, that this implementation of the consistency check 
only works correctly when the program argument does not contain uninstanti- 
ated metavariables. 

A first sketch of a formalization in our system of provability in a default 
theory may look as follows, where D1 stands for some set of ground instances of 
the default rules D, and F, E for the other components of the default theory, Q 
represents the query or “observations” to be proved. 

demo(\ (?F & ?D1 & ?E) , Q) , 
consistent (\ (?F & ?D1 & ?E ) . 

The following proof predicate will be sufficient for deductive reasoning within a 
default theory. In this case, the default theory is completely given in advance, 
i.e., given by a ground term at the metalevel. 

demo_def ault (F , D , E , Q ) : - 

def ault_instances (D , Dl) , 
demo(\ (?F & ?D1 & ?E) , q) , 
close_constraints (Dl) , 
consistent (\ (?F & ?D1 & ?E) ). 

We will not show definitions for all auxiliary metapredicates, but def ault _ in- 
stances can give a good illustration of the general pattern. 

y, def ault_instances (Def aults , Instances) . 
block default_instances(?,-) . 

def ault_instances (_ , \ [] ) . 

default_instances(D, \ [(?P- [?C,yes] : - ?q-[?C,yes] ) I ?E]):- 
member_(\ (?P- [?_,yes] : - ?Q- [?_ ,yes] ) , D) , 
constant_(C) , 
def ault_instances (D , E) . 

® Implemented as follows, for_all(P,T) \+ (P, (T -> fail ; true)). 
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This implements, quite directly, that the second argument is a program of clauses 
created from members of the first by replacing the object variable by some con- 
stant. The block directive makes the predicate delay until its second argument 
gets instantiated (here by an event inside ‘demo’ when it attempts to grab a 
clause in the yet uninstantiated program component Dl). The tail recursion 
means that the predicate will iterate in a lazy fashion through Dl as more and 
more elements may be needed. The member_ predicate is the system’s standard 
constraint for selecting clauses in object programs. 

Finally, we should explain the close_constraints predicate used in the def- 
inition of demo_def ault. It is a device built into the system that investigates the 
possibly uninstantiated metavariables in its argument and, according to certain 
heuristics, instantiates to prototypical values that will satisfy the pending con- 
straints. In the particular case above, it will close the open program tail of Dl, 
which is necessary in order to have the naively implemented consistency check 
to execute correctly. 

To test our proof predicate for default theories, we define the following object 
modules. 

object_module ( facts, 

\[ penguinCtweety ,yes) , 

bird( john.yes) ]). 

object_module ( defs, 

\[ (bird(X,yes) penguin(X,yes) ) , 

(f ly (X,yes) : - bird(X,yes)) ]). 

object_module ( exes, 

\[ (fly(X,no):- penguin(X,yes) ) ]). 

The following queries and answers show the overall behaviour of the demo_de- 
fault predicate defined above. 

?- demo_def ault (\f acts , \def s , \excs , 

\\ (fly (John, yes) , f ly (tweety ,no) ) ) . 



yes 

?- constant_ (X) , 

demo_def ault (\f acts , \def ,\excs , \\fly(?X,yes)) . 

X = \\\john 

When moving from deduction to abduction and induction we have to formal- 
ize the assumptions we have made implicitly about what constitutes a default 
theory, otherwise the demo predicate will be free to invent any strange program 
that makes the given query provable. As a first approach, we can write predi- 
cates facts (-), defaults (-), and exceptions (-) which in a straightforward 
way formalize the syntactic assumptions mentioned in the introduction to this 
example, e.g.. 
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block exceptions (-) . 
exceptions (\ [] ) . 

exceptions(\ [(?P- [X,no] : - ?Q-[X,yes]) I ?More] ) : - 
exceptions (More) . 

We can now improve the definition of the demo_default predicate in such a way 
that it may be able to answer in a reasonable way queries with partly specified 
theory. 

demo_def ault (Facts .Defaults , Exes , Obs) : - 
facts (Facts) , 
defaults (Defaults) , 
exceptions (Exes) , 

default_instances (Defaults, Defis) , 
demo(\ (?Facts & ?Excs & ?Def Is) , Obs), 
close_constraints(\ (?Facts & ?Excs & ?DefIs) ), 
consistent (\ (?Facts & ?Excs & ?DefIs) ). 

The following queries and answers illustrate abduction and induction of defaults- 
with-exceptions from examples. 

?- demo_default(F,\defs,\excs, \\fly(tweety,no)) . 

F = \ [(penguin(tweety, yes) : -true)] 

?- demo_def ault (\f act s, \ [?D] ,\ [?E] , 

\\ (f ly(tweety ,no) , f ly (John, yes) )) . 

D = \ (f ly(X.yes) : -bird(X.yes) ) 

E = \ (f ly (X,no) : -penguin(X,yes) ) 

In the first query we abduce, from the background knowledge given by modules 
defs and exes, the fact that tweety is a penguin from the observation that 
tweety does not fly. In the second, the background knowledge facts together 
with the observations about the two individuals’ (lacking) ability to fly makes 
the system conclude the expected pair of default and exception rules. 

While demo_default works quite well in these examples, where some back- 
ground knowledge is given in each case, it will not work as a general concept 
learner that produces from scratch a class of “intuitively correct” default the- 
ories that can explain or systematize a larger sample of observations. This will 
require a further refinement of the metalevel conditions that takes into account 
a suitable stratification among the different predicates. 

This example showed the Demo system “at work” for small problems of auto- 
mated reasoning and it is worth noticing the very little amount of code that the 
developer had to supply in order to implement different reasoning methods. An- 
other important point is displayed, namely the learning process went through by 
the developer in this test-refine-and-extend cycle which is characteristic for logic 
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programming. If someone elaborated the example above further into a general 
concept learner as indicated, we will claim that he or she would have learned 
some essential points about logic and machine learning — although not so much 
about the algorithmic concerns that need to be considered for solving complex 
problems. 

4.2 A Natural Language Example 

Here we show a variation of abduction which seems difficult to implement in a 
similar direct way in those systems for abduction, we have seen described in the 
literature, see |2E| for an overview. Our example is concerned with the relation 
between simple still-life scenes and sentences about them. 

Let T be a T-LCC program describing a number of things in the world together 
with some of their properties, e.g., thing (the jElower), thing (the_vase) , 
thing(the_table) , container (the_vase) . An actual scene is described by an- 
other program of facts about the immediate physical relation between the objects 
of r, e.g., inCthejElower , the_vase), on(the_vase, the_table). Utterances 
about a scene are defined by an TiCL program, declared as a module grammar 
in the following way. 

object_module( grammar, 

\ [ (sentence (S) simple(S)), 

(sentence (S) folded(S)), 

(simple([X, is, on, Y] ) : - 
thing(X), thing(Y), 
on(X,Y) ), 

(simple([X, is, in, Y] ) : - 
thing(X), thing(Y), 
in(X,Y) ), 

(folded! [X, is, PREP, Y]):- 
simple([X, is, _, Z] ) , 
simple ([Z, is, PREP, Y] ) ) 

]). 

The folded sentence allows us to say ‘the flower is on the table’ instead of the 
longer ‘the flower is in the vase, the vase is on the table’. Assuming also modules 
things and scene defining a particular scene as above, we can use the metain- 
terpreter to execute queries in the normal deductive way, e.g., for testing the 
correctness of a given sentence. 

?- demo( \ (grammar & things & scene), 

\\ sentence! [the_f lower , is, on, the_table] ) . 

This model can be extended with abduction so that the program component 
scene can be generated “backwards” from sentences about it. In other words, 
the problem to be solved is to construct explanations in terms of ‘in’ and ‘on’ 
facts which can explain the stated sentences. Any such explanation must satisfy 
some integrity constraints with respect to the actual things theory; an in fact, 
for example, must satisfy the following metalevel predicate. 
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scene_fact(T, \ (in(?A,?B) true)):- 
constant_(A) , 
constant_(B) , 

demo(T, \\ (thing(?A) , container (?B) )) , 
dif (A,B) . 

The dif(A,B) condition serves, together with other conditions, to preserve a 
sensible, physical interpretation of the programs generated. We can write a 
similar rule for ‘on’ and then pack the whole thing together as a predicate 
scene_description( [T] , [S'] ) satisfied whenever S is a sensible scene built from 
the objects defined by T. An example of the abductive problem can now be stated 
by the following query. 

?- scene_description( \things, X), 
demo( \ (grammar k things k ?X) , 

\\sentence( [the_f lower, is, on, the_table] ) ) . 

The system produces the following three answers. 

X = \ [(on(the_f lower ,the_table) : -true) ] 

X = \ [(on(the_flower ,the_vase) : -true) , 

(on(the_vase,the_table) :-true)] 

X = \ [(in (the_f lower ,the_vase) : -true) , 

(on(the_vase,the_table) :-true)] 

We can also extend the example by abducing a things program T in parallel 
with the scene. In case a fact, say, in(the_dog, the_house) is abduced, the 
integrity constraint will abduce in turn as part of T the facts thing (the_dog) , 
container (the_house) . Furthermore, the integrity constraint concerned with 
T (not shown) will trigger the abduction of thing (the_house) . This recursive 
triggering of new abductions via integrity constraints, that appears quite nat- 
ural in our metaprogramming setting, does not appear to be possible in other 
implementations of abduction that we are aware of. 

As in the previous example, we could continue to refine and extend the met- 
alevel conditions, for example for inducing grammars from sample sentences. 
This would require a formalization at the metalevel of, firstly, what sort of ob- 
ject programs that can be conceived as grammars and, secondly, what it means 
for a grammar to be a good grammar. 



5 Conclusions, Possible Extensions of the Demo System 

We have presented an approach to program synthesis based on metaprogram- 
ming in logic, using a ground representation of object programs and a reversible 
‘demo’ predicate. The ground representation (when supported by a proper no- 
tation!) together with metalevel predicates provided by the user, appears to be 
a quite flexible tool for describing different classes of not-too-complex programs. 
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thus serving the purpose program schemas used in other approaches. For the sort 
of problems that we have illustrated in our examples, the Demo system appears 
as a highly generic environment in which different modes of reasoning can be 
developed and combined with each other in a straightforward way which seems 
quite uncommon in those other systems for program synthesis and automated 
reasoning that we are aware of. 

When it comes to the specification of more complicated patterns, say, defining 
a class of divide-and-conquer programs, the direct and isomorphic representation 
that we have used tends to be insufficient. In order to complete our approach 
for handling more complex program synthesis tasks, it seems relevant to suggest 
alternative representation forms together with specialized constraints that give a 
certain bias towards particular program structures. If, for example, we are inter- 
ested in synthesizing recursive programs, a representation based on the recursion 
operators of may seem appropriate (see also discussion in section 1.3). 

In a forthcoming re-implementation of the Demo system, we will support the 
development of such representations, by making the naming relation extensible 
by the user and by providing a layer for constraint programming, which makes it 
possible for users to write constraint solvers in terms of derivation rules similar 
to those appearing in the appendix. We will also refer to [3] which can be seen 
as a starting point for the systematic development of such representations. 

Another striking shortage in the present Demo system is its lack of ability to 
handle negative examples in a proper way. We suggest here, to add an additional 
proof predicate, demo_f ails ( |"P] , \Q~\) with the meaning that the query Q 
fails in the program P. This predicate should be implemented in such a way 
that, whenever in a standard negation-as-failure search, it runs into an open 
program part (i.e., an uninstantiated metavariable), it delays. In general, this 
will result in several delayed or-branches and if one of them reports that Q can 
succeed, the call to demo_fails should fail immediately. In this way, negative 
examples can be set up as conditions before the usual demo predicate is set to 
work, and when some action triggered inside demo adds something to the object 
program that makes one negative example succeed, demo (or the ‘responsible’ 
side-conditions) will be forced to take another choice. With such an extension, 
it should be possible to approximate some of the results gained in the ILP area. 
With similar techniques it may also be possible to have integrity constraints in, 
say, view update problems to execute in a truly incremental way. 

Appendix: A Constraint Solver for Clp(HCC) 

Constraint solving for CLP(7fC£) is described by means of top-down derivations 
in the sense of [23], however here adapted for typed languages. As we have 
in mind implementations using Prolog-like technology, we assume an indivisible 
(and efficiently implemented) unification operation in the underlying interpreter. 

In general, we define a derivation system to consist of transition rules S S' 
over states of the form 
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where C is a finite set of atoms and constraints and a an accumulated substitu- 
tion, which represents the explicit variable bindings made so far. 

States are assumed to be idempotent in the sense that no variable x S dom(a) 
occurs in C, i.e., a is mapped consistently over the constraint set C . We assume 
a special state called Failure with empty set of satisfiers. 

We use also to denote the derivation relation induced in the natural way 
by a set of derivation rules {'^}; is the reflexive, transitive closure of 
Whenever, for some query Q, that {Q, 0) S, where S does not contain atoms 
and no derivation step is possible from S, any satisfier for S restricted to the 
variables of Q is called a computed answer for Q. 

The following transition rules, labeled (Unif), (Res), (Difl), (Dif2), and 
(True), constitute the core of any transition system. The unification rule (Unif) 
is the only one that changes the accumulated substitution. 

(Unif) {C yj {s = t}, a) {C,a)pL 

— where ^ is a most general unifier of s and t chosen so that the new state 
becomes idempotent; however, if s and t have no unifier, the result is 
Failure. 

In any other rule, we will leave out the accumulated substitution assuming it to 
be copied unchanged. Other rules can of course affect it indirectly by setting up 
one or more equations as is the case in the following resolution rule. Resolution 
is only meaningful in the context of some program P. 

(Res) C\J{Bi,...,Bn,A = H} 

— whenever A is an atom, H <— B\ f\ ... /\ Bn a variant with 
new variables of a clause in P. 

Occurrences of the truth constant true are removed by the following rule. 

(True) C U {true} C 

We need the following characterization in order to handle inequality constraints. 

Definition 2 . Two terms t\ and t2 are said to be distinguishable if they have 
no unifier, i.e., for any substitution a, t\a and t2<J are different. 

□ 

The following two rules define a behaviour of inequalities quite similarly to the 
dif predicate of Sicstus Prolog m- 

(Difl) C U {ti t2] C 

— whenever ti and t 2 are distinguishable. 

(Dif2) C U {ti yf t2} Failure 

— whenever ti and t 2 are identical. 
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The constraint solver for CLP(7fC£) assumes a computation rule which is 

fast-solving: the resolution rule (Res) cannot be applied if another rule is appli- 
cable, and 

fast-unifying: the rules (Unif), (Difl), and (Dif2) take precedence over all other 
rules. 

The following derivations rules are specific for Clp{'HCC). We start with the 
rules concerned with instance constraints. The rule (I) expresses that a given 
variable can have one and only one instance under a given substitution. 

(I) C U {instance(w, t, s), instance(u, t' , s)} C LI {t = t', instance(u, t' , s)} 

— when V is variable. 

The following two rules (Itl-2) reduce instance constraints that express bind- 
ings to object variables; the first one applies when a binding has been recorded 
already for the given variable, the second one installs an initial binding in the 
substitution. 

(Itl) C U {instanceterm(^a;, t, s)} C L {t = t'} 

— when 'x is the name of an Ti.CC variable and s = [• • • (fx, t') ■ ■ ■] 

(It2) C U {instanceterm(^a;, t, s)} C U {w = [('x, t)|r(;']} 

— when ' X is the name of an liCC variable, (Itl) does not apply, 
and s = [• • • lie]; ru' is a new variable. 

Notice that a fast-unifying computation rule is relevant for (It2) in order to avoid 
different and incompatible expansions of the substitution tail w. — An invariant 
property can be shown, that these substitution argument always have open tails 
so that rule (It2) always can apply when relevant. 

Instance constraints with names of structured object language terms in the 
first argument are reduced as follows. 

(Its) C U {instanceterm(7(^i> ■ ■ ■ ,tn),t' , s)} 

^ CL{t' = 7(wi, . . . ,w„), 

instanceterm(ti, vi, s), . . . , instanceterm(tn, s)} 

— when 7 is the name of a function symbol of TiCC, n > 0; 
vi, ... ,v„ are new variables. 

The reduction of a term instance constraint is, thus, triggered by its first ar- 
gument being non- variable. Rules for all other syntactic constructs in TiCC of 
categories clause, formula, atom, and constraint are defined similarly to (ItS) 
except that they are triggered also by the second argument being non-variable. 
As an example, we show the rule (Ic) for reduction of instance constraints on 
clauses. 

(Ic) C U {instancedause(ti72, s)} 

CU{ti = (Ui'^ U 2 ),t 2 = (vi'^ V 2 ), 

instanceatom(Mi, -yi, s), instancefomuja(u 2 , V 2 , s)} 

— when t\ or t 2 is of the form (• • • ■ ■ •); u\,U 2 , v\,V 2 are new variables. 
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Member constraints and its companions are reduced by the following rules. 

(Ml) C U {member(c, u)} C U {v = [c|u']} 

— when u is a variable; u' is a new variable. 

(M2) C U {member(c, [c'Ip])} C U {m} 

— where m is either c = c' or member(c,p). 

(M3) C U {member(c, [])} Failure. 

(NDl) C U {no-duplicates([c|p])} C U {not-member(c,p), no-duplicates (p)}. 
(ND2) C U {no-duplicates([])} C. 

(NMl) C U {not-member(c, [c'|p])} C U {c yf c', not-member(c,p)}. 

(NM2) C U {not-member(c, [])} '^ C. 

Termination and soundness conditions are formulated and proved in [8] . 
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Abstract. We provide a theoretical basis for studying the termination 
of tabled logic programs executed under SLG-resolution using a left- 
to-right computation rule. To this end, we study the classes of quasi- 
terminating and LG-terminating programs (for a set of atomic goals S). 
These are tabled logic programs where execution of each call from S 
leads to only a hnite number of different (i.e., non-variant) calls, and a 
finite number of different calls and computed answer substitutions for 
them, respectively. We then relate these two classes through a program 
transformation, and present a characterisation of quasi-termination by 
means of the notion of quasi- acceptability of tabled programs. The lat- 
ter provides us with a practical method of proving termination and the 
method is illustrated on non-trivial examples of tabled logic programs. 



1 Introduction 

The relative novelty of tabled-based logic programming implementations has 
given rise to a number of both theoretical and practical questions related to 
the study of the characteristics of such programs and to improving their per- 
formance. This work has been motivated by an initial study on how to adapt 
advanced program specialisation techniques, originally developed for standard 
logic programming, to the context of tabled logic programming. In a companion 
paper [12], we describe how left-propagation of bindings in a program executed 
under SLG-resolution [4] using a fixed left-to-right computation rule (as SLG 
is usually implemented in practical tabled-based systems such as XSB [15]) can 
seriously endanger the termination characteristics of that program. A simple 
example from [12] is the program: 
p{X)^p{Y),Y = f{X) 

X = x ^ 

For the query ^ p{X), the program finitely fails in SLG since its left-to-right 
evaluation encounters (a variant of) an existing call for which no answers can be 
produced. By performing one unfolding step with respect to the atom Y = f{X), 
giving rise to the clause p{X) ^ p{f{X)), the same query ^ p(X) will now result 
in an infinite computation under SLG. 
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In [12], preconditions for safe (i.e. termination preserving) program specialisa- 
tion through unfolding are proposed. In the present paper we study the universal 
termination of tabled programs (where we are interested in the termination of 
the computation after all solutions have been generated), executed under SLG 
using a fixed left-to-right computation rule, in its own right. We adapt exist- 
ing results on acceptability of programs with respect to sets of atoms from [6]. 
We show how this provides a natural necessary and sufficient condition for the 
termination of tabled logic programs. We also briefly discuss automatic verifica- 
tion of the proposed termination conditions, and present a non-trivial example 
(Appendix B). 

The rest of the paper is structured as follows. In the next section we introduce 
some preliminaries and present a brief formalisation of SLG-resolution restricted 
to definite programs. In Section 3 we present the notions of quasi-termination 
and quasi-acceptability with respect to sets of atoms and prove that they are 
equivalent. In Section 4 we discuss the stronger notion of LG-termination and, 
again, characterise it in terms of quasi-termination. We end with a discussion. 

2 Preliminaries 

Throughout the paper, P will denote a definite tabled logic program. We also 
assume that in all programs all predicates are tabled (i.e. executed under SLG- 
resolution). The extended Herbrand Universe, Up, and the extended Herbrand 
Base, Bp, associated with a program P, were introduced in [7]. They are defined 
as follows. Let Termp and Atomp denote the sets of respectively all terms and 
atoms that can be constructed from the alphabet underlying P. The variant 
relation, denoted «, defines an equivalence. Up and Bp are respectively the 
quotient sets Termp /ks and Atomp/ For any term t (or atom A), we denote 
its class in Up (Bp) as i (or A). However, when no confusion is possible, we 
omit the tildes. Finally, by Predp and Funp we denote the sets of predicate and 
function symbols of P, respectively. 

In this paper, we consider termination of SLG-resolution (see [4]), using a 
fixed left-to-right computation rule, for a given set of atomic (top level) queries 
with atoms in S' C Bp. We will abbreviate SLG-resolution under the left-to- 
right computation rule by LG-resolution (which for definite programs is similar 
to OLDT-resolution [16,11], modulo the fact that OLDT specifies a more fixed 
control strategy and uses subsumption checking and term-depth abstraction in- 
stead of variant checking to determine existence of subgoals and answers in the 
tables). Below, we formalise these notions. While doing so, we also introduce 
some example programs that are used throughout the paper to illustrate various 
aspects of (non)-termination of tabled logic programs. 

2.1 SLG- Resolution for Definite Programs 

We present a non-constructive definition of SLG-resolution that is sufficient for 
our purposes, and refer the reader to [2,4,16,17] for more constructive formula- 
tions of (variants of) tabled resolution. 
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Definition 1. (pseudo SLG-tree, pseudo LG-tree) Let P be a definite 
program, TZ be a computation rule, and A an atom. A pseudo SLG-tree for 
P U A} under TZ is a tree ta such that: 

1. the nodes of ta are labeled by goals along with an indication of the selected 
atom, 

2. the arcs are labeled by sets of substitutions ( either most general unifiers or 
computed answer substitutions) , 

3. the root of ta is ^ A, 

4- the children of the root ^ A are obtained by resolution against all matching 
(program) clauses in P, 

5. the (possibly infinitely many) children of non-root nodes can only be obtained 
by resolving the selected (using TZ) atom B of the node with clauses of the 
form BO ^ (not necessarily in P). 

If TZ is the leftmost literal selection rule, ta is called a pseudo LG-tree for 
PU{^A}. 

We say that a pseudo SLG-tree ta for PU{^ A\ is smaller than another pseudo 
SLG-tree t'^ for P U A} iff t(^ can be obtained from ta by attaching new 
sub-branches to nodes in ta- 

A ( computed^ answer clause of a pseudo SLG-tree ta for PU A} is a clause 
of the form AO ^ where 0 is the composition of the answer substitutions found 
on a branch of ta whose leaf is labeled by the empty goal. 

Intuitively, a pseudo SLG-tree (in an SLG-forest, see Definition 2 below) 
represents the tabled computation of all answers for a given subgoal labeling 
the root node of the tree. The trees in the above definition are called pseudo 
SLG-trees because there is no condition yet on which clauses BO ^ exactly are 
to be used for resolution in point 5. These clauses represent the answers found — 
possibly in another tree of the forest — for the selected atom. This interaction 
between the trees of an SLG-forest is captured in the following definition. 

Definition 2. (SLG-forest, LG-forest) Let P be a program, TZ be a compu- 
tation rule, and S be a (possibly infinite) set of atoms such that no two different 
atoms in S are variants of each other. T is an SLG-forest for P and S under 
TZ iff if is a set of minimal pseudo SLG-trees {ta | A G S'} where 

1. TA is a pseudo SLG-tree for P U A} under TZ, 

2. every selected atom B of each node in some ta & IF is a variant of an 
element B' of S, such that every clause resolved with B is a variant of an 
answer clause of tb' and vice versa. 

Let Q A be an atomic query. An SLG-forest for P U {Q} is an SLG-forest 
for a minimal set S with A G S. An LG-forest is an SLG-forest containing only 
pseudo LG-trees. 

Point 2 of Definition 2, together with the imposed minimality of trees in 
a forest, now uniquely determines these trees. So we can drop the designation 
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“pseudo” and refer to (S)LG-trees in an (S)LG-forest. The notion of an (S)LG- 
forest introduces explicitly the relation between selected atoms and their com- 
puted answers. Also note that (S)LG-trees always have a finite depth. 

Example 1 (NAT). Let NAT be the program below: 
nat(O) ^ 

nat{s[x)) ^ nat{X) 

The (unique) (S)LG-forest for NAT and {nat{X)}, shown in Figure 1, consists 
of a single (S)LG-tree. Note that this tree has an infinitely branching node. 




Fig. 1. SLG-forest for NAT U nat{X)}. 



Example 2. (NATgoi) Let NATgoi be the following program: 
nat{0) ^ 

nat\s\x)) ^ nat{X), sol{nat{X)) 
natsoi(X) ^ nat{X) , sol{nat{X)) 
sol{X) ^ 

The LG-forest for NATsoi U{^ nat{X)} contains an infinite number of LG- 
trees; see Figure 2. 

Finally, given S C Bp, by Call{P, S) we denote the subset of Bp such that 
B G Call{P, S) whenever an element of B is a selected literal in an LD-derivation 
for some P U A}, with A G S. We note that we can use the notions of LD- 
derivation and LD-computation even in the context of SLG-resolution, as the set 
of call patterns and the set of computed answer substitutions are not influenced 
by tabling; see e.g. Theorem 2.1 in [11]. 

3 Quasi-Termination and Quasi- Acceptability 

As the examples in the previous section show, an LG-forest can be infinite. In par- 
ticular, whenever LD-computation from an initial goal leads to infinitely many 
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Fig. 2. The (infinite) LG-forest for Example 2. 



different, non-variant calls, the corresponding LG-forest under tabled execution 
will be infinite. Obviously, such a phenomenon is undesirable, and therefore a 
first basic notion of termination studied in this paper is quasi-termination (a 
term borrowed from [9], defining a similar notion in the context of termination 
of off-line partial evaluation of functional programs). It is defined as follows. 

Definition 3. (quasi-termination) Let P he a program and S C Bp. P 

quasi-terminates with respect to S iff for every A G S, Call{P, {A}) is finite. 
Also, P quasi-terminates iff it quasi-terminates wrt Bp. 

Lemma 1. Let P be a program, A G Bp, and let T he the LG-forest for PU 
A}. Then P quasi-terminates wrt {A} iff P consists of a finite number of LG- 
trees. 

This is the termination notion that also forms the heart of the study in [12]. 

Example 3. Gonsider the programs NAT and N AT soi of Examples 1 and 2 re- 
spectively. With respect to {nat{X)}, NAT quasi-terminates, but NATsoi does 
not. 

In order to characterise the notion of quasi-termination, we adopt the follow- 
ing concept from [6]. 

Definition 4. (level mapping) A level mapping for a program P is a function 
l-.Bf^lN. 

Definition 5. (finitely partitioning) A level mapping I is finitely partition- 
ing iff for all n G IN : ffl~'^{n) < oo. 

In other words, only finitely many atoms are mapped to any n G IN . 

We now introduce the notion of quasi- acceptability. It is adapted from the 
acceptability notion defined in [6] and not from the more “standard” definition 
of acceptability by Apt and Pedreschi in [1]. The reason for this choice is that 
the quasi-termination property of a tabled program and (set of) goal(s) is not 
invariant under substitution. Gonsider the following example from [12]: 
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Example 4- Let p/2 he a tabled predicate defined by the following clause. 
p{f{X),Y)^p{X,Y) 

Then, the query ^ p{X, Y) quasi-terminates while ^ p{X, X) does not! 

The acceptability notion in [1] is expressed in terms of ground instances of 
clauses and its associated notion of left-termination is expressed in terms of 
the set of all goals that are bounded under the given level mapping. Such sets 
are closed under substitution. Because quasi-termination lacks invariance under 
substitution, we need a stronger notion of acceptability, capable of treating any 
set of interest S. 

Definition 6. (quasi-acceptability) Let I he a finitely partitioning level map- 
ping on Bp. We say that P is quasi-acceptable with respect to I and S iff 

• for every atom A such that A G Call{P, S), 

• for every clause P[ ^ Bi, ... , B„ in P, such that mgu{A, H) = 9 exists, 

• for every initial subsequence B\,...,Bi-i of B\, ... ,Bn and every LD- 
computed answer substitution 6i-\ for ^ {Bi , . . . , Bi-i)9: 



1{A) > l{B,99,.i) 



In brief, the main differences with the acceptability notion of [6] are that: 

1 . level mappings are assumed to be finitely partitioning the extended Herband 
Base, and 

2. decreases of the level mapping are not assumed to be strict. 

Intuitively, the reasons for these differences can be understood as follows. Con- 
trary to SLD, computations in which a call has a variant of itself as its (imme- 
diate) recursive descendant do not lead to non-termination under tabled evalu- 
ation. As we want to allow such computations, requiring a strict decrease of the 
level mapping is too strong. On the other hand, we do not want to allow that 
infinitely many different calls within a same level occur (due to the non-strict 
decrease). To exclude this, we impose the finite partitioning requirement. 

More directly, it should be intuitively clear that the combination of the non- 
strict decrease with finitely partitioning level mappings implies that only a finite 
number of different calls are allowed to descend from a given call. This corre- 
sponds to quasi-termination. 

Given these definitions, we can now prove one of the main results of this 
paper. 

Theorem 1. (termination condition) Let P be a program and S C Bp. P 

is quasi-acceptable wrt some finitely partitioning level mapping I and S iff P is 
quasi-terminating with respect to S. 

For a proof, we refer to Appendix A. 

Quasi-termination captures the property that, under LD-computation, a given 
atomic goal leads to only finitely many different calls. It is exactly in such cases 
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that tabling aims at achieving actual termination of top-down logic program ex- 
ecution. Hence the importance of quasi-termination as a key property for tabled 
programs. 

Also, in a broader context, techniques for proving quasi-termination can be 
of great value to ensure termination of off-line specialisation of logic programs 
(whether tabled or not). Currently, in all off-line partial evaluation methods for 
logic programs (e.g. [13,10]) termination has to be ensured manually. In the 
context of off-line partial evaluation, quasi-termination is actually identical to 
termination of the partial evaluator. Thus, given a technique to establish quasi- 
termination, one can also establish whether a given binding time annotation 
will ensure termination or whether further abstraction is called for. This idea 
has already been successfully applied in the context of functional programming 
(cf. [8]), using the termination criterion of [9]. 

4 LG-Termination 

Even when tabling, quasi-termination as in Definition 3 and Lemma 1 only 
partially corresponds to our intuitive notion of a ‘terminating computation’. 

Example 5. Consider the program of Example 1. Given the set S = {nat{X)}, 
NAT quasi-terminates with respect to S. This is obvious since Call{N AT, S) = 
{nat{X)}, which is finite. The program is also quasi-acceptable with respect to 

5 and any finitely partitioning level mapping ^ IN. 

Nevertheless, this example does not correspond to our intuitive notion of a 
terminating program. Although the LG-forest is finite, its unique LG-tree is in- 
finitely branching (see Figure 1) and the computation does not terminate. Notice 
however that the computed answers do not lead to new calls. Therefore, quasi- 
termination does hold. Also note that the same program is not LD-terminating 
either: there exists an infinite LD-derivation. To capture this, we define the fol- 
lowing stronger termination notion. 

Definition 7. (LG-termination) Let P he a program and S C Bp. P is LG- 
terminating with respect to S iff for every A G S, the LG-forest for P U A} 
is a finite set of finite LG-trees. 

Also, P is LG-terminating iff it is LG-terminating wrt Bp. 

Let us now study how quasi-termination and LG-termination relate to each 
other. According to Lemma 1, quasi-termination only corresponds to part of the 
LG-termination notion; it does not capture infinitely branching LG-trees. But a 
simple program transformation can remedy this. 

Definition 8. (sol(ution) transformation) The sol transformation is de- 
fined as follows: 

• For a clause C = H ^ Bi, ... , B„ we define 
Csol = H ^ Bi,sol{Bi), . .. , Bn, sol{Bn) 

Here, sol{Bi) is the syntactic application of the predicate sol/1 on Bi. 
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• For a program P, we define: 

Psol = {Csol \C€P}U 

\Psol (^1 1 ■ ■ ■ 7 ^n) ^ p{^l 7 ■ ■ ■ 7 ^n) 7 

sol{p{Xi, . . . , Xn)) \ p/n G Predp} U 

{sol{X) 

where each psoi/n is a new predicate symbol. 

• For a set of atoms S C Bp, we define 

^sol — \Psol{t±, ■ ■ ■ 7 tn) I p{tl, ■ ■ ■ 7 tn) G <5^} 

The goal of the construction is that P LG-terminates wrt S iff Pgoi quasi- 
terminates wrt Ssoi- Note that Pgoi is finite provided that P is also finite. 

Example 6. The programs NAT of Example 1, and NATgoi of Example 2 are 
related through the sol transformation. 



Example 7. Let P be the following extension of the NAT program. 
t{X) ^ nat{X), fail 
nat{0) ^ 

nat{s{x)) ^ nat{X) 

Then Call{P, {t(X)}) = {t{X),nat{X), fail}, so P quasi-terminates wrt {t(X)}. 
However, note that the query <— t{X) does not terminate but fails infinitely in 
tabled evaluation under a left-to-right computation rule. Using the sol transfor- 
mation, we have that {t(X)}soZ = {Goi(-^)}7 and Psoi is the following program: 
t{X) ^ nat{X),sol{nat{X)), fail, sol{f ail) 
nat{0) ^ 

nat{s{x)) ^ nat{X) , sol{nat{X)) 

Eoi{X)^t{X),sol{t{X)) 
natsoi{X) ^ nat{X) , sol{nat{X)) 
sol{X) ^ 

Now, we have that 

Call{Psou{tsoi{X)}) = 

{tsoi{X),t{X),nat{X), fail, sol{nat{Q)) , sol{nat{s{G ))) , . . .} 
and as expected Pgoi does not quasi-terminate wrt {t(X)}soZ. 



Theorem 2. Let P be a program and S C Bp. Then P LG-terminates wrt S 
iff Psol quasi-terminates wrt Ssoi- 

Proof. (Sketch) As can be seen in Figure 3 for a node in an LG-tree labeled by 
a compount goal ^ H, Q, where B is the selected atom, every answer clause 
resolution for B in P (with the answer clause B9) translates into two answer 
clause resolutions (for B and sol{B9)) and one new LG-tree (for sol{B9)) in 
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Fig. 3. Relating answer clause resolution in P and Psoi- 



Psoi- Note that in the same figure, Qsoi is the sol-translation of Q. Let A G S. 
(=>) If ^ A LG-terminates in P, then we can build a finite set of finite LG-trees. 
Thus in Psoi only finitely many answer clause resolutions and finitely many LG- 
trees are added and, by LemmaQ, Pgoi quasi-terminates wrt {A}soi- 
(<;=) If ^ A does not LG-terminate in P, then we either have an infinite set of 
LG-trees, and thus also an infinite set of LG-trees for Psoi ■ Or we have an infinite 
branching in some tree, which translates into an infinite set of LG-trees for Psoi- 
So, by LemmaCl in both cases Psoi does not quasi-terminate wrt {A}so/. 

A fully worked out example of a termination proof using the level mappings 
of Section 0 can be found in Appendix O. 

5 Discussion 

Tabled logic programming is receiving increasing attention in our community. 
It avoids many of the shortcomings of SLD(NF) execution and provides a more 
flexible and often extremely efficient execution mechanism for logic programs. 
In particular, tabled execution of logic programs terminates more often than 
execution based on LD-resolution. Nevertheless, termination can still not be 
guaranteed. Our motivation for the reported work is that we want to port pro- 
gram specialisation techniques for “standard” logic programs to tabled ones. In 
this attempt, we noticed that simple transformations, which are termination- 
preserving in the standard logic programming setting, can distort the termina- 
tion behaviour in the setting of tabled logic programs. This motivated us to start 
a deeper study of termination of tabled logic programs, in the hope of using the 
results as tools in the further development and study of optimisation of tabled 
logic programs through transformations. 

There are only relatively few works (in disguise) studying termination under 
tabled execution. within the context of well-moded programs, gives a suf- 
ficient (but not necessary) condition for the bounded term-size property, which 
implies LG-termination. |2| provides another sufficient (but not necessary) con- 
dition for quasi-termination in the context of functional programming. 
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A specific concern that one might raise with respect to the termination con- 
ditions we propose is to what extent existing (automated) termination analyses 
can be adapted to verify the quasi-acceptability condition. Before addressing this 
question, we note that all programs that terminate under LD-resolution, are LG- 
terminating as well. Thus, verification of termination under LD-resolution (i.e., 
ignoring the designation of predicates as tabled) using an existing automated ter- 
mination analysis (such as those surveyed in e.g. |0) is a sufficient proof of the 
program’s quasi-acceptability. Naturally this is not a necessary condition, since 
there are LG-terminating programs which do not terminate under LD-resolution 
(from trivial ones as the program in the introduction to more interesting ones as 
that presented in Appendix^. In such cases, existing termination analyses may 
require modifications or extensions. The most important issue in this context 
is to what extent the focus on finitely partitioning level mappings becomes a 
bottleneck in providing level mappings in practice. Or, more specifically, which 
of the level mappings used in practice in (automated) termination analysis are 
finitely partitioning? 

In most automatic approaches to termination analysis, level mappings are 
defined in terms of positive linear combinations of norms. A norm is a function 
n : Up ^ IN. Given such a norm n, a level mapping is induced by selecting 
a number of argument positions. Ip, for each predicate symbol p/k, and by 
defining: l{p{t\, . . . , tk)) = X) where all pi are natural numbers. 

iGlp 

Note that if the selected norm n is ‘finitely partitioning’, meaning that for 
every m G IN : < oo, and Ip = [1, k] as well as pi > 0, then the level 

mapping I is finitely partitioning as well (assuming that the language underlying 
P only contains a finite number of predicate symbols). So, the question is: which 
norms are finitely partitioning ? 

Let us first assume that the language underlying P contains only a finite 
number of constants and functions symbols. In that case, consider any semi- 
linear norm Pj, which are norms that can be defined as: 

n{f{ti, ..., tk)) = c/ + ^ n{U) 
ieif 

where c/ S IN, If C [1, A:] and depend on f /k only. 

Given the restriction on the language underlying P, any semi-linear norm 
which has c/ > 0 and If = [1, k], for all f /k in Funp, (in other words no part 
of the term can be ignored) is finitely partitioning. In particular, the well-known 
termsize norm is finitely partitioning (but e.g. the list-length norm is not). 

If the underlying language contains an infinite number of constants (e.g. the 
natural numbers), we can still design very natural finitely partitioning norms 
by exploiting any existing well-founded ordering on the infinite data set and 
incorporating that in the norm. 

Therefore, automated termination analysis can be quite easily adapted to 
the case of quasi-termination and in fact requires nothing more than moving 
from a strict inequality check to verifying the weaker inequality expressed in 
quasi-acceptability. 
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However, the requirement that c/ > 0 can in some cases complicate the 
task of finding appropriate norms and level mappings, as the following example 
illustrates. 

Example 8. Let P just consist of the following clause C: 
p{[H^,H2\T]) ^ p{[[H^,H^,H2]\T]) 

Let us restrict our attention to calls p{t) where t is a ground list. Then P quasi- 
terminates (failing finitely) and it even terminates under ordinary, un-tabled 
evaluation. For the un-tabled case we can simply use the level mapping l(p(t)) = 
listJength(t) and we have that the level mapping of the head of a ground instance 
of C is strictly larger than the level mapping of the corresponding body atom. 
As previously mentioned, a termination proof under un-tabled execution implies 
LG-termination. However, such an indirect proof of LG-termination could not 
be used if the program also contained the clause p{X) ^ p(X). In such a case, 
the list length norm could not be used to directly prove quasi-acceptability as 
it is not finitely partitioning (there are infinitely many different terms up to 
variable renaming with the same list length) and we would have to search for 
another candidate. Unfortunately, we could not simply use the termsize norm 
either, because it will lead to the heads of ground instances of C being strictly 
smaller than the corresponding body atoms. Thus, using the termsize norm we 
are not able to prove quasi-acceptability and one has to resort to more powerful 
level mappings. The following, slightly involved, level mapping, where we denote 
the termsize by ||.||, will fortunately be sufficient: 

l{p{[ti,...,tr,])) = 2”(n-bEie[i.n] P*ll) 

Now let p{[ti,t 2 \t]) ^ p{[[ti,ti,t 2 ]\t]) be any ground instance of C, where 
listJength{[ti,t 2 \t]) = n, t = [si, . . . , s„_ 2 ] and s = X)j 6 [i,n- 2 ] Nill- We have 
that l{p{[ti,t 2 \t])) = 2”(n -I- ||ti|| -I- ||t 2 || + s) which is (strictly) larger than 
^2]|i])) = 2”“^(n — 1-1- 1 -I- 2 II till -I- 11^211 + s)- 
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A Termination Condition 



The following concept will be useful for proving our termination condition. To 
any fixed P and S, we can associate a call graph as follows. 
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Definition 9. (call graph associated to S) Let P be a program and S C Bp. 

The call graph Call-Gr(P, S) associated to P and S is a graph such that: 

• its set of nodes is Call{P, S), 

• there exists a directed arc from A to B iff 

• there exists a clause PI <— Bi, . . . , B^ in P, such that mgu{A, P[) = 9 
ea;jsts0 o,nd 

• there exists i S such that there is an LD-refutation for 

with computed answer substitution 9i-\, and B « Bi96i-i. 

The notion of a call graph has a particularly interesting property, which will 
be useful in the study of termination. 

Proposition 1. (paths and selected atoms) Let P be a program, S C 
Bp, Call{P,S) and Call-Gr{P,S) be defined as above. Let p be any directed 
path in Gall-Gr{P,S). Then there exists an LG-derivation for some element of 
Gall{P, S), such that all the nodes in p occur as selected atoms in the derivation. 

Proof. By definition of Gall-Gr{P, S), for every arc from A to 5 in Gall-Gr{P, S), 
there exists a sequence of consecutive LG-derivation steps, starting from ^ A 
and having a variant of B as its selected atom at the end. Because (a variant 
of) B is selected at the end-point, any two such derivation-step sequences, corre- 
sponding to consecutive arcs in Gall-Gr{P, S), can be composed to form a new 
sequence of LG-derivation steps. In this sequence, all 3 nodes of the consecutive 
arcs remain selected atoms in the new sequence of derivation steps. Transitively 
exploiting the above argument yields the result. 

Note that by definition of Gall-Gr(P, S) and Gall{P, S), this also implies that 
there is a sequence of derivation steps starting from PU{<— A}, with A G S, such 
that all nodes in the given path p are selected atoms in the derivation sequence. 

Theorem H (termination condition) Let P be a program and S C Bp. P is 

quasi- acceptable with respect to some finitely partitioning level mapping I and S 
iff P is quasi-terminating with respect to S. 

Proof. The “only-if” part of the proof is fairly straightforward. We have that P 
is quasi-acceptable with respect to I and S. Take any atom A with A G S'. Due 
to the acceptability condition, any call in Gall{P, S) directly descending from 
A, say B, is such that 1{A) > 1{B). The same holds recursively for the atoms 
descending from B. Thus, the level mapping of any call, recursively descending 
from A, is smaller than or equal to 1{A) G IN. Since I is finitely partitioning, we 
have that: U„<;(^)Z“^(n)) < oo. Hence, ffGall{P, {A}) < oo and the program is 
quasi-terminating for <— A. 



^ Throughout the paper we assume that representatives of equivalence classes are 
systematically provided with fresh variables, to avoid the necessity of renaming apart. 
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The “if” -part of the proof is slightly more complicated. Given is that P quasi- 
terminates for all atomic queries ^ A, with A G S. We need to design a finitely 
partitioning level mapping, I, such that the quasi-acceptability condition with 
respect to I and s holds. 

First of all, we will only define I on the elements of Call{P, S). On elements 
of the complement of Call{P, S) in Bp, I can be assigned any value (as long as 
we don’t group infinitely many in one layer), as these elements do not turn up in 
the inequality condition of quasi-acceptability. In order to define I on Call{P, S), 
consider the Call-Gr{P, S')-graph. 

A first crucial point in this part of the proof is that the strongly connected 
components of Call-Gr{P, S) are necessarily all finite. To see this, assume that 
Gall-Gr{P, S) contains an infinite strongly connected component. Then, there 
exists an infinitely long path p, starting from an element in S, through elements 
of this infinite strongly connected component. By Proposition^ this means that 
there exists a derivation for that element in S, such that an infinite number of 
different atoms from Gall{P,S) are selected within this derivation. Obviously, 
this contradicts quasi-termination. 

So, all strongly connected components of Gall-Gr{P, S) are finite. Define 
Gall-Gr{P, S) / reduced as the graph obtained from Gall-Gr{P, S) by replacing 
any strongly connected component by a single contracting node and replacing 
any arc from Gall-Gr{P, S) pointing to (resp. from) any node in that strongly 
connected component by an arc to (resp. from) the contracting node. 

Gall-Gr{P, S) / reduced does not have any (non-trivial) strongly connected 
components. Moreover, any strongly connected component from Gall-Gr{P, S) 
that was collapsed into a contracting node of Gall-Gr{P, S) / reduced necessarily 
consists of only a finite number of nodes. 

We now define I as follows. 

Let layer-0 be the set of leaves in Gall-Gr{P, S) / reduced. We will order these 
nodes and assign to them an odd number within IN. For every atom in a strongly 
connected component represented by one of the nodes in layer-0, we will assign 
the level mapping of that atom to be equal to the assigned value of the corre- 
sponding contracting node. 

Then, we move up to the next layer in Gall-Gr{P, S) / reduced. This layer, 
layer-1, consists of all nodes N , such that: 

max{{length{p) | p is a path starting from N in Gall-Gr{P, S)/ reduced}) = 1 

To any element of layer- 1, we assign a natural number n, such that n is larger 
than all the natural numbers assigned to descendants of this node in layer-0 
(note that the graph is finitely branching), but such that there is at least 1 
natural number larger than the ones assigned to its descendants which remains 
unassigned. 

We continue this process layer by layer. In each step we make sure that 
an infinite number of natural numbers remain “unassigned” to nodes, but also 
that numbers assigned to nodes in higher levels of Gall-Gr{P, S) are strictly 
larger than the numbers assigned to their descendants. The value of the level 
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mapping on elements of Call{P, S) is as defined for layer-0 above: all calls in a 
same strongly connected component of Call{P, S) receive the number assigned 
to their representative in Call-Gr{P, S) / reduced. 

Due to this construction, I is finitely partitioning on Call{P,S). Also, by 
construction again, the quasi-acceptability condition of P with respect to I and S 
holds. 



B An Extended Termination Proof 

In this appendix, the approach is illustrated on a non-trivial example. Systems 
like the one in [6], after the slight adaptations discussed in Section 5, are able 
to automatically derive this proof. Consider the following context-free gram- 
mar, defining well-built numerical expressions, built up from integers and the 
operators -I- and *. 

Expr Term \ Expr Term 
Term Primary \ Term * Primary 
Primary integer | ( Expr ) 

If we encode expressions as ground lists of tokens, we can use the following 
program Parse to parse such expressions in all possible ways. 
expr{A,B) ^ term{A, B) 

expr{A,B) ^ expr{A,C),C = [+\D],term{D, B) 
term{A, B) ^ primary{A, B) 

term{A,B) ^term{A,C),C = [*\D],primary{D, B) 
primary{A, B) ^ A = \C\B]Anteger{C) 
primary{A, B) ^ A = ['{'\C], expr{C, D), D = 

It is not difficult to see that the program is not LD-terminating wrt the following 
set of atoms: 

S = {expr{l, t) I Hs a list of atoms and t is any term } 

For example, the query <— expr(\l],B) generates the answer B = [] and then 
gets stuck in an infinite loop. 

The program is however LG-terminating. To see this, consider ParsCgoi which 
corresponds to the following program. 

expr{A, B) ^ term{A, B), sol{term{A, B)) 

expr{A,B) <— expr{A,C),sol{expr{A,C)),C = [+\D], sol{C = [-|-|D]), 
term{D, B), sol{term{D, B)) 
term{A, B) <— primary{A, B), sol{primary{A, B)) 
term{A,B) ^ term{A,C), sol{term{A,C)),C = [*\D],sol{C = [*|D]), 
primary{D , B), sol{primary{D , B)) 

primary{A, B) ^ A = [C\B],sol{A= [C\B]), integer {C),sol{integer{C)) 
primary{A,B) ^A = sol{A = [{^\C\),expr{C,D), 

sol{exprlc,D)),D = ['Y\B],sol{D = ['Y\B]) 
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expTsoi{A,B) ^ expr{A, B), sol{expr{A, B)) 
termsoi{A,B) <— term{A, B), sol{term{A, B)) 
primary soi{A, B) <— primary{A, B), sol {primary (A, B)) 
sol{X) ^ 

The following level mapping can then be used to prove quasi-acceptability of 
Parse sol wrt Ssoi, which according to Theorem 0 establishes LG-termination of 
Parse with respect to S. 



\\term{ti,t2)\\ = ||ea;pr(ti,t2)|| = \\primary{ti,t2)\\ 

= 2 X termsize{ti) + termsize{t2) + 1 
||fi = t2\\ = termsize{ti) + termsize{t2) 



\\integer{n) 

\\integer{t)\ 

||so/(t)|| = < 

lbsoi(i)ll = 



= abs{n), if n is an integer 
= termsize{t), if t is not an integer 
termsize{ti) + termsize{t2) 

if t is of the form p{ti,t2) and 
p/2 € {expr /2,term/2,primary /2,= /2} 
termsize{t) otherwise 
|p(t)||,Vp/n G Predp 



The following set is a superset of Call{Parsesoh Ssoi)- 



{expr{l, t),term{l, t),primary{l, t), 
integer{g), sol{t), exprsoi{l, t), 
termsoi{l,t)TPfi'<Tiarysoi{l,t) M is a ground list of atoms, 

t is any term and p is a ground term} 



As Funparscsoi i® 8' finite set and 1 1 A| | is defined in terms of the termsize of all 
arguments of A, 1 1 . 1 1 is finitely partitioning. We can then prove quasi-acceptability 
of Parsesoi wrt Sgoi- Consider the first clause defining expr /2 and take any 
atom expr{l,t) G Call{Parsesoh Sgoi) such that mgu{expr{l,t),expr{A, B)) = 9 
exists. Obviously, ||ea;pr(^, t)|| > \\term{A,B) 9 \\ as expr{l,t) = expr{A,B) 9 . 

To prove that \\expr{l,t)\\ > \\sol{term{A, B))992\\ for any 62 such that 62 
is a computed answer substitution for <— term{A, B) 9 , we need the following 
observation. In the following, let ti,t2 G Termparse^ai - ®6f- 



{expr{ti,t2),term{ti,t2),primary{ti,t2) \ termsize{ti) > termsize{t2)} U 
{exprsoi{ti,t2) Aermsoi{t\, 12), primary soi{t\, 12) \ termsize{ti) > termsize{t2)} 
U {ti = t2 I termsize{ti) = termsize{t2)} U {integer{n) | n is an integer} 



is a model of Parsesoi- 

Now, whenever 62 is a computed answer substitution for <— term{A, B) 9 , 662 
is a grounding substitution. Consequently, for term{A, B)692, termsize{A992) > 
termsize{B692). Therefore and because A 9 is ground, we have that 

\\expr{l,t)\\ = \\expr{A,B) 9 \\ = 2 x termsize{A 9 ) + termsize{B 9 ) + 1 

> 2 X termsize{A992) 

> termsize{A962) + termsize{B962) 

= \\sol{term{A, B))692\\ 
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Consider now the second clause of expr/2. Again, take any atom expr{l, t) G 
C all{P arse sol T S sol) such that mgu{expr{l,t),expr{A,B)) = 9 exists. We can 
apply the same arguments as above to infer that ||ea;pr(/, t)|| > \\expr{A,C)9\\ 
and that \\expr{l,t)\\ > \\sol{expr{A,C))992\\, 02 being as above. To prove that 
\\expr{l,t)\\ > lie = [+|D]d 03 || for any 9^ such that 9^ is a computed answer 
substitution for ^ {expr{A, C), sol{expr{A, C)))9, we need the observation that 
expr{A, C)99^ is ground and thus termsize{A99^) > termsize{C99z) . Therefore 
and because A9 is ground, we have that: 

\\expr{l,t)\\ = 2 X termsize{A99-i) + termsize{B9) + 1 

> termsize{C99^) + 1 > ||e = [+|D]d03|| 

We can use similar arguments on all remaining atoms and clauses. 
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Abstract. We present our work on the representation and correctness 
of program schemas, in the context of logic program synthesis. Whereas 
most researchers represent schemas purely syntactically as higher-order 
expressions, we shall express a schema as an open first-order theory that 
axiomatises a problem domain, called a specification framework, con- 
taining an open program that represents the template of the schema. We 
will show that using our approach we can dehne a meaningful notion 
of correctness for schemas, viz. that correct program schemas can be 
expressed as parametric specification frameworks containing templates 
that are steadfast, i.e. programs that are always correct provided their 
open relations are computed correctly. 



1 Introduction 

A program schema is an abstraction of a class of actual programs, in the sense 
that it represents their data-flow and control-flow, but does not contain (all) their 
actual computations or (all) their actual data structures. Program schemas have 
been shown to be useful in a variety of applications, such as proving proper- 
ties of programs, teaching programming to novices, guiding both manual and 
(semi-) automatic synthesis of programs, debugging programs, transforming pro- 
grams, and so on, both within and without logic programming. An overview of 
schemas and their applications can be found in p|. 

In this paper, we present our work on two aspects of schemas: representation 
and correctness, in the context of logic program synthesis. In logic programming, 
most researchers represent their schemas as higher-order expressions, sometimes 
augmented by extra-logical annotations and features, so that actual (first-order) 
programs are obtained by applying higher-order substitutions to the schema. We 
shall take a different approach and show that a schema S can also be expressed 
as an open first-order theory containing an open (first-order) program T, viz. a 
program in which some of the relations are left undefined. One advantage of this 
approach is that it simplifies the semantics of schemas and of their manipulations. 

Norbert E. Fuchs (Ed.): LOPSTR’97, LNCS 1463, pp. 128-^^3 1998- 
(c) Springer- Verlag Berlin Heidelberg 1998 
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We shall endow a schema S with a formal (model-theoretic) semantics by 
defining IF as a specification framework, i.e. an axiomatisation of the (possibly 
open) problem domain, and call T the template of S. This allows us to define 
a meaningful notion of correctness for schemas. Indeed, we show that correct 
program schemas can be expressed as parametric specification frameworks con- 
taining templates that are steadfast open programs, i.e. programs that are always 
correct provided their open relations, i.e. their parameters, are computed cor- 
rectly. Steadfastness is a priori correctness, and therefore correct schemas are a 
priori correctly reusable. 

We shall also briefly indicate how to use correct schemas in practice. Using 
any kind of schemas requires suitable strategies, and we shall touch on some 
ideas for such strategies for correct schemas. 

2 Program Schemas as Open Frameworks 

Our approach to schemas (and program synthesis) is set in the context of a 
(fully) first-order axiomatisation IF of the problem domain in question, which 
we call a specification framework T . Specifications are given in T , i.e. written 
in the language of T . This approach enables us to define program correctness 
wrt specifications not only for closed programs but also for open programs, i.e. 
programs with parameters (open relations), in both closed and open frameworks. 
In this section, we briefly define specification frameworks, specifications, open 
programs. 



2.1 Specification Frameworks 

A specification framework is a full first-order logical theory (with identity) with 
an intended model: 

Definition 1. (Specification Frameworks) 

A specification framework if {II) with parameters II consists of.' 

• A (many-sorted) signature E of sort, function and relation symbols (together 
with their declarations). 

We distinguish between symbols of S that are closed (i.e. defined symbols) 
and those that are open (i.e. parameters). The latter are indicated by II. 

• A set of first-order axioms for the (declared) closed and open function and 
relation symbols of E. 

Axioms for the closed symbols may contain first-order induction schemas. 
Axioms for the open symbols, or parameters, are called p- axioms. 

E{n) is open if the set II of parameters is not empty; it is closed otherwise. 

A closed framework IF axiomatises one problem domain, as an intended model 
(unique up to isomorphism). In our approach, intended models are reachable 
isoinitial models: 
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Definition 2. (Reachable Isoinitial Models) 

A reachable isoinitial model i of is a model such that i is reachable (i.e. the 
elements of its domain can be represented by ground terms) and, for any relation 
r defined in J-, ground instances r{t) or ^r(t) are true in i iff they are true in 
all models of T. 

Example 1. (Closed Frameworks) 

A typical closed framework is (first-order) Peano arithmetic MAT (we will omit 
the most external V quantifiers) : 



Specification Framework MAT ; 

SORTS: Nat] 


FUNCTIONS: 0 


^ Nat] 


s 


Nat ^ N at] 


+,* 


{Nat, Nat) ^ Nat 



AXIOMS: C-AXS(0,s); 

a; -I- 0 = a:; 

X + s{y) = s{x + y); 
a; * 0 = 0; 

X * s{y) = X + X * y, 

C-AXS(0, s) contains Clark’s Equality Theory (see [EO]) for the constructors 
0 and s, and the related (first-order) induction schema H{0) A (Vi . H{i) 
H{s{i)) Va: . H{x), where H stands for any formula of the language, i.e. the 
schema represents an infinite set of first-order axioms. 

An isoinitial model of MAT is the term model generated by the constructors, 
equipped with the usual sum (-I-) and product (*). 

The induction schema is useful for reasoning about properties of -I- and * that 
cannot be derived from the other axioms, e.g. associativity and commutativity. 
This illustrates the fact that in a framework we may have more than just an 
abstract data type definition, as we will see again later. 

In general, a closed framework T is constructed incrementally from exist- 
ing closed frameworks, and the new abstract data type axiomatised by T is 
completely defined thus. For example, a new sort T (possibly) depending on 
other pre-defined sorts is constructed from constructors declared as functions. 
The freeness axioms for the pre-defined sorts are imported and new axioms are 
added to define the (new) functions and relations on T. 

The syntax of a framework T is thus similar to that used in algebraic ab- 
stract data types (e.g. immM)- However, whilst an algebraic abstract data 
type is an initial model ('[ I12M 5JI 1 of its specification, the intended model of T is 
an isoinitial model. Of course, a framework may have no intended (i.e. reach- 
able isoinitial) model. We will only ever use frameworks with such models, i.e. 
adequate frameworks: 

Definition 3. (Adequate Closed Frameworks) 

A closed framework T is adequate if it has a reachable isoinitial model. 
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Now a framework T may also contain other forms of formulas, such as: 

• induction schemas (as we saw in Example 1); 

• theorems, i.e. proven properties of the problem domain (we will not encounter 
these in this paper); 

• specifieations, i.e. definitions of new symbols in terms of S symbols; 

• (and even (steadfast)) programs. 

However, such formulas are only admissible in !F if their inclusion preserves J^’s 
adequacy (we will return to this in Section 2.2). 

An open framework !F(n) has a non-empty set 77 of parameters, that can 
be instantiated by closed frameworks as follows: 

Definition 4. (Framework Instantiation) 

Let iF(n) be an open framework with signature S, and Q he a, closed framework 
with signature A. If 77 is the intersection of S and A, and Q proves the p-axioms 
of if, then the Q-instance of T, denoted by iF[Q], is the union of T and Q. 

Instantiation may be defined in a more general way, involving renamings. 
Since renamings preserve adequacy and steadfastness, we can use this simpler 
definition without loss of generality. 

Now we can define adequate open frameworks: 

Definition 5. (Adequate Open Frameworks) 

An open framework !F(n) is adequate if, for every adequate closed framework 
Q, the instance T(n)[Q] is an adequate closed framework. 

Adequacy means that parameter instantiation works properly, so we will also 
refer to adequate open frameworks as parametric frameworks. 

Example 2. (Open Frameworks) 

The following open framework axiomatises the (kernel of the) theory of lists with 
parametric element sort Elem and parametric total ordering relation < (we use 
lower and upper case for elements and lists respectively): 

Specification Framework CIST (Elem, <\)] 

IMPORT: NAT ; 

SORTS: Nat, Elem, List, 

FUNCTIONS: nil : List, 

: (Elem, List) List; 

nocc : (Elem, List) Nat; 

RELATIONS: elemi : (List, Nat, Elem); 

< : (Elem, Elem); 
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AXIOMS: C-AXS{nil, •); 

elemi{L, i, a) ^ 3h, T, j . L = h ■ T f\ 

{i = 0Aa = h\/i = s{j) A elemi{T, j, a)); 
nocc{x, nil) = 0; 

a = b ^ nocc{a, b ■ L) = nocc{a, L) + 1; 

~^a = b ^ nocc{a, b • L) = nocc(a, L); 
p- AXIOMS: x<yAy<x<-!-x = y; 

x<lyAy<lz—i-x<lz; 

X < y V y < X. 

where C-Axs{nil, •) contains Clark’s Equality Theory (see ^D]) for the list con- 
structors • and nil, and the first-order induction schema A (Va, J . H{J) — > 

H{a ■ J)) VL . H{L); the function nocc{a, L) gives the number of occurrences 
of a in L, and elemi{L, i, a) means a occurs at position i in L. The p-axioms are 
the parameter axioms for <. In this case, they state that < must be a (non-strict) 
total ordering. 

The parameters Elem and < can be instantiated (after a possible renaming) 
by a closed framework proving the p-axioms. For example, suppose ZAfT is 
a closed framework axiomatising the set Int of integers with total ordering <. 
Then CIST {Int, <)\INT] becomes a closed framework with an isoinitial model 
where Int is the set of integers, Nat contains the natural numbers, and List finite 
lists of integers. Note that CIST {Int, <)\INT] contains the renaming of Elem 
by Int and < by <. Note also that defined symbols can be renamed, when 
convenient. For example, we could rename List by Listint. 

Whilst an adequate closed framework has one intended (isoinitial) model, an 
adequate open framework has a class of intended models. 



2.2 Specifications 

A framework is the context where a specification must be written, where it 
receives its proper meaning, and where we can reason about it and derive correct 
programs from it. 

More formally, a specification Ss in a framework is an axiom that defines a 
new relation S in terms of the symbols E of the framework. Thus Ss is a formula 
containing symbols from E and the new relation symbols S: 

Definition 6. (Specifications) 

In a specification framework T{LI), a specification Ss is a set of sentences that 
define new function or relation symbols 6 in terms of the symbols E of T. If Ss 
contains symbols of II, then it is called a p- specification. 

Ss can be interpreted as an expansion operator that associates with the 
isoinitial model i of T one or more classes of {E -|- <5)-interpretations, that are 
the expansions of i defined by Ss- 
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Definition 7. (Expansion) 

Let j be a ^'-interpretation, and i be an expansion of j to -|- <5. We say that i 
is an expansion of j determined by a specification S (of (5) iff i ^ S. 



We say that Ss is strict if it defines just one expansion; it is non-strict if it 
defines more than one expansion. A more detailed discussion and classification 
of specifications can be found in M- 

For uniformity, in this paper, we shall use only conditional specifications, that 
is specifications of the form 

Vx : X,Vy : Y. Q{x) {r{x,y) ^ R(x,y)) 

where Q and R are formulas in the language of IF, and x:X, y:Y are (possibly 
empty) lists of sorted variables, with sorts in T . Q is called the input condition, 
and R the output condition of the specification. 

When Q is true, we drop it and speak of an ijf specification. Iff specifications 
are strict, while in general a conditional specification is not. 

In our approach, we maintain a clear distinction between frameworks and 
specifications. The latter introduce new symbols and assume their proper mean- 
ing only in the context of the framework. To distinguish the specified symbols 
from the signature of the framework, we will call them s-symbols. We also dis- 
tinguish clearly between specifications and axioms. 

Example 3. (Specifications) 

In the open framework CIST [Elem, <), we can specify the following functions 
and relations: 

S-FUNCTIONS: I : List Nat; 

I : {List, List) List; 

S-RELATIONS: mcm : {Elem, List); 

len : {List, Nat); 
append : {List, List, List); 
perm : {List, List); 
ord : {List); 
sort : {List, List); 

SPECS: mem{e, L) ^ 3i . elemi{L,i,e); 

len{L, n) <-!■ Vz . z < n <-*■ 3a . elemi{L, i, a); 

n = 1{L) <-!■ len{L,n); 

append{A, B, L) <-> (Vz, a . i < 1{A) 

{elemi{A,i, a) ^ elemi{L,i,a)))/\ 
elemi{B,j,b) 
elemi{L,j + 1{A), b)); 

perm{A, B) ^\/e . nocc{e, A) = nocc{e, B); 

C = A\B ^ append{A, B, C); 

P-SPECS: ord{L) ^ Vz . elemi{L, i,c\) A elemi{L, s{i), 62 ) —^ci<l 62 ; 

sort{L, S) ^ perm{L, S) A ord{S) 
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As we will see in the next section, program predicates must be s-symbols. 
However, the specification of a program predicate may be non-strict and, in this 
case there may be many correct implementations, one for each expansion. 

An s-symbol S can be used also to expand the signature of the framework, in 
order to get a more expressive specification language. In this case, the specifica- 
tion Ss is added to the axioms of the framework and S is added to its signature. 
This operation will be called framework expansion. 

We must use adequate framework expansions, i.e. expansions that preserve 
the adequacy of the framework. For example, the expansions of CIST {Elem, <) 
by I, I, mem, append, perm, ord and sort in Example 0 can be shown to be 
adequate. In the following we will consider T thus expanded. 



2.3 Closed and Open Programs 

Open programs arise in both closed and open frameworks. 

An open program may contain open relations, or parameters. The parameters 
of a program P are relations to be computed by other programs. They are not 
defined by P. 

A relation in P is defined (by P) if and only if it occurs in the head of at 
least one clause of P. It is open if it is not defined (by P). An open relation in 
P is also called a parameter of P. 

A program is closed if it does not contain open relations. We consider closed 
programs a special case of open ones. 

Open programs are always given in the context of an (open or closed) frame- 
work T{n). In T{n), we will distinguish program sorts, i.e. sorts that can be 
used by programs. A closed program sort must have constructors (see axioms 
C-AXS(. . .)), and an open program sort may only be instantiated by program 
sorts. In programs, constant and function symbols may only be constructors. A 
program relation must be an s-symbol, i.e. it must have a specification. 



Example 4 - (Open Programs) 

A possible open program for sort{L, S) in CIST {Elem, <) is the following: 



sort{L, S) 
sort{L, S) 

part{L,p, S, B) 
part{L,p, S, B) 



L = nil, S = nil 
L = h.T, part{T, h,TLi,TL2), 

sort(TLi,TSi), sort(T 12,182), append{TS\, h.TS2, S) 
L = nil, S = nil, B = nil 
L = h.T, h <ip, part{T,p,TS,TB), 

S = h.TSAB^TB 



part{L,p, S, B) 



L = h.T, ^h < p, part{T,p,TS,TB), 
S = TS AB = h.TB 



The s-symbols sort and append are specified in Example 0 The conditional 
specification of part can be found in Example 0 
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2.4 Program Schemas 

For representing schemas [1,2,3,4,5,6,10,14,16,21,22,23,25,26,27,28], there are es- 
sentially two approaches, depending on the intended schema manipulations. 

First, most researchers represent their schemas as higher-order expressions, 
sometimes augmented by extra-logical annotations and features, so that actual 
programs are obtained by applying higher-order substitutions to the schema. 
Such schemas could also be seen as first-order schemas, in the mathematical 
sense, namely designating an infinite set of programs that have the form of the 
schema. The reason why some declare them as higher-order is that they have 
applications in mind, such as schema-guided program transformation [7,28,11], 
where some form of higher-order matching between actual programs and schemas 
is convenient to establish applicability of the starting schema of a schematic 
transformation. 

Second, Manna m advocates first-order schemas, where actual programs 
are obtained via an interpretation of the (relations and functions of the) schema. 
This is related to the approach we advocate here, namely that a schema S can 
also be represented as a (first-order) framework iF containing an open program 
T, so that actual programs can be obtained by adding programs for some (but 
not necessarily all) of T’s open relations. So there is no need to invent a new (or 
higher-order) schema language, at least in a first approximation (but see [6]). 
Formally we define a program schema as follows: 

Definition 8. (Program Schemas) 

A {program) schema for a relation r is an open framework 5(7T) containing a 
program for r. 

Pr is called the template of S{II). 

The p-axioms and the p-specifications are called the constraints of 5(77). More- 
over, relation symbols of 77 used only in specifications and (possibly) in p-axioms 
are called s-parameters. 

A schema S covers a program P if (5 and) its template can be instantiated to 
P. 



We distinguish s-parameters from other parameters because in an instantia- 
tion by a closed framework Q they can be replaced by formulas of the language of 
^.[jThis does not hold for other parameters, since they must be instantiated by 
symbols of Q, in order to get a closed instance of the framework with a reachable 
isoinitial model. 

Most definitions of schemas, with the laudable exception of the one by Smith 
[EEH], reduce this concept to what we here call the template. Such definitions 
are thus merely syntactic, providing only a pattern of place-holders, with no 
concern about the semantics of the template, the semantics of the programs it 
covers, or the interactions between these place-holders. So a template by itself 
has no guiding power for teaching, programming, or synthesis, and the additional 
knowledge (corresponding to our constraints) somehow has to be hardwired into 

^ Of course, after the replacement, the p-axioms must be satisfied. 
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the system or person using the template. Despite the similarity, our definition 
is an enhancement of even Smith’s definition, because we consider relational 
schemas (rather than “just” functional ones), open schemas (rather than just 
closed ones), and set up everything in the explicit, user-definable background 
theory of a framework (rather than in an implicit, predefined theory). The notion 
of constraint even follows naturally from, or fits naturally into, our view of 
correct schemas as (adequate) frameworks containing steadfast programs (see 
later), rather than as entities different from programs. 

Example 5. (Program Schemas) 

The schema in Figure 1 is our way of defining the divide-and-conquer schema. 
Note that the schema contains only p-axioms, and that /j.. Or, . . . are s-parame- 
ters, i.e. they can be replaced by formulas in framework instantiations. 



Schema DC(X, Y, H, 7r, Or, Idee, Odec)\ 

SORTS: X,Y, H; 

RELATIONS: Ir,hee : (X); 

Or :(X,Y); 

Oder :(X,H,X,X); 

P- AXIOMS: Idec{x) A Odec{x,hx,tXl,tX2) Ir{tXl) A tXl -< X 

/\Ir{tX2) A tX2 -< X', 

Idec{x) 3h, Xl,X2- Odec{x, h, Xl,X2); 

P-SPECS: Ir{x,y) (r{x,y) ^ Or{x,y)) 

Ir{x) — > {primitive{x) ^Idec{x)) 

Idec{x) — > {decompose{x,hx,txi,tx2) <-> 

Odee(x,hx,tXl,tX 2 )) 

Ir{x) A ^ldec(x) {solve{x, y) ^ Or{x, y)) 
Odec{x,hx,tXl,tX 2 ) A Or{tXl,tyi) A Or{tX 2 ,ty 2 ) 

{compose(hx,tyi,ty 2 ,y) ^ Or{x,y)) 
TEMPLATE: r{x,y) ^ primitive(x), solve(x,y) 

r{x,y) <— -<primitive{x), decompose{x,hx,txi,tX2), 

r{txi,tyi), r{tX2, ty2), compose{hx, tyi,ty2,y) 



(ci) 



(C2) 
(Sr) 
i^Sprim ) 
{Sdee) 



solve) 
)Scomp ) 



(Tr) 



Fig. 1. A divide-and-conquer schema. 



3 Correct Schemas 

A model-theoretic definition of correctness of open programs in a framework, 
called steadfastness, is given in PI- Here, we give a less abstract, but more 
conventional definition. In this paper, for simplicity, we only give definitions 
and results that work for definite programs. Nevertheless they extend to normal 
programs, under suitable termination assumptions. 

For closed programs in closed frameworks, we have the classical notion of 
(total) correctness: 
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Definition 9. (Total Correctness) 

In a closed framework T with isoinitial model i, a closed program for relation 
r is totally correct wrt its specification Sr 

Wx ■■ X,Wy: Y. Ir(x) {r{x,y) ^ Or(x,y)) (Sr) 

iff for alH : X and u : Y such that i |= Ir{t) we have; 

i\=Or{t,u) iff Pr\-r{t,u) (1) 

If Pr satisfies the if-part of o, it is partially correct (wrt Sr)- If it satisfies the 
only-if part, then it is total. 

Total correctness as defined here is unsatisfactory for logic programs, since 
it cannot deal with different cases of termination. In particular, we consider the 
following two cases: 

(i) Pr is totally correct wrt to Sr, and terminates with either success or finite 
failure, for every ground goal ^ r(t,u) such that i |= Ir{t). 

In this case, Pr correctly decides r, and we say that Pr is correct wrt 
TC{r,Sr). 

(ii) Pr is partially correct wrt Sr, and, for every ground t : X such that i |= Ir(t), 
the computation with open goal <— r{t, y) terminates with at least one answer 
y = u. 

In this case, Pr correctly computes a selector of r (i.e. a function or relation 
that, for every input x such that Ir{x), selects at least one output y such 
that Or{x,y)), and we say that Pr is correct wrt PC(r,Sr). 

TC{r,Sr) and PC{r,Sr) are called termination requirements. 

It is easy to see that total correctness is too weak for case (z), since a to- 
tally correct Pr could fail to terminate for a false r{t,u), and too strong for 
case (ii), since for computing a selector, we do not need success for every true 
r(t,u)). Therefore, a specification of a program relation r will be of the form 
{Sr, Si, . . . , Sn,Tr Ti, . . . , T„), i.e. it will include a termination requirement. 
Moreover, in the definition of steadfastness, we will consider correctness wrt 
{Si,Ti) and (Sr,Tr), instead of total correctness. 

Termination and termination requirements are an important issue. For lack 
of space, however, we will not further deal with them here. 

The definition of correctness wrt {Sr,Tr) is still unsatisfactory. First, it de- 
fines the correctness of Pr in terms of the programs for the relations other than 
r, rather than in terms of their specifications. Second, all the programs for these 
relations need to be included in Pr (this follows from Pr being closed), even 
though it might be desirable to discuss the correctness of Pr without having to 
fully solve it (i.e. we may want to have an open Pr). So, the abstraction achieved 
through the introduction (and specification) of the new relations is wasted. 

This leads us to the following notion of steadfastness of an open program in 
a closed framework. 
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Definition 10. (Steadfastness in a Closed Framework) 

In a closed framework T, let be an open program for r, with parameters p \ , 

. . . , Pn, specifications Sr, S\, . . . , Sn, and termination requirements Tr,T\, . . . , 
Tn- 

Pr is steadfast in T if, for any closed programs Pi , . . . , that compute pi, . . . ,pn 
such that Pi is correct wrt (Si,Ti), the (closed) program P^ U Pi U . . . U P„ is 
correct wrt (Sr,Tr). 

Now we can define steadfastness in an open framework: 

Definition 11. (Steadfastness in an Open Framework) 

In an open framework P(P), let Pr be an open program for r, with parameters 
pi, . . . , Pn, specifications Sr, Si, . . . , Sn, and termination requirements Tr,T\, 
T 

. . . , J- n • 

Pr is steadfast in P(P) if it is steadfast in every instance P[G] for a closed 
framework Q. 

This is similar to Deville’s notion of ‘correctness in a set of specifications’ [H] 
p.76], except that his specifications and programs are not set within frameworks. 
Moreover, we also (but not in this paper, hence the simplified definition above) 
consider other cases of steadfastness, namely where several (but not necessarily 
all) defined relations of a program are known by their specifications, the other 
defined relations being known by their clauses only. 

Now we can formally define correctness for program schemas: 

Definition 12. (Correct Program Schemas) 

A (program) schema for a relation r, i.e. an (adequate) open framework S{n) 
containing a template Pr for r, is eorreet iff Pr is steadfast in S{II). 

Example 6. (Correct Program Schemas) 

We will now show that the schema S in Example |EI is correct because {S is 
an adequate framework and) its template T^: 

r{x, y) <— primitive{x) , solve{x, y) 

r{x,y) <— ^primitive{x), decompose{x,hx,txi,tx 2 ), {Tr) 

r (tel , tyi ) , r{tx 2 ,ty 2 ), eompose{hx, tyi , ty 2 , y) 

is steadfast, if we add to it the following termination requirement: 

T-REQS. PC{v,Sr^ TC{^prXTfllt%Ve, Sprimitivef) , ECi^Solve, S solved , 

PC (^decompose, S decompose) , PC (^eOTfipOSe, S composed 

In fact we can derive the whole schema (including these termination require- 
ments) from our attempt to prove that Tr is steadfast. Thus this example also 
serves to illustrate how we might derive correct schemas. 

In the absence of constraints, an open program such as Tr has no fixed 
meaning, since it covers every program, which is obviously nonsensical. Indeed, 
it would suffice to instantiate primitive by true, and solve by the given program! 
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However, we can give this template an informal intended semantics, as follows. 
For an arbitrary relation r over formal parameters x and y, the program is to 
determine the value(s) of y corresponding to a given value of x. Two cases arise: 
either x has a value (when primitive{x) holds) for which y can be easily directly 
computed (through solve), or x has a value (when ^primitive{x) holds) for 
which y cannot be so easily directly computed; the divide-and-conquer principle 
is then applied by: 

1. dividing (through decompose) x into a term hx and two terms tx\ and tx 2 
that are both of the same sort as x but smaller than x according to some 
well-founded order, 

2. conquering (through r) to determine values of tyi and ty 2 corresponding to 
txi and tx 2 , respectively, 

3. combining (through compose) terms hx, tyi, ty 2 to build y. 

Just as the semantics of open programs is defined parametrically, we can do 
the same for this template, and whilst so doing, we can enforce the informal 
semantics and supply the corresponding axioms of the open relations (i.e. the 
constraints of the schema). We can do so by introducing an open framework 
S{Ir, Or, ■ ■ ■) with a signature containing the sorts of the template and the open 
relation symbols Ir,Or,--- We can abduce the constraints of the schema by 
proving at an abstract level that Tr is steadfast in S, wrt the specifications of 
r and the unknown axioms of the open relations the template introduces, and 
enforcing the informal semantics of the template during this proof. The proof 
itself must of course fail due to the lack of knowledge about r and the intro- 
duced open relations, but the reasons of this failure can be used to abduce the 
necessary relationships between r and these open relations. These relationships 
are of course the constraints on the open relations of the template! 

Program Tr is steadfast in S if it is steadfast in every instance of S. So 
let IF be a generic instance 5[^], where ^ is a closed framework. Suppose the 
specification of r in is: 

Vcc : X, Vy : Y . Ir{x) {r{x, y) ^ Or{x, y)) {Sr) 

We have to find (at least) the p-specifications (in T) Sprim, Ssoive, Sdec, Scomp of 
primitive, solve, decompose, compose, respectively, such that Tr is a steadfast 
program for r in T . For each Si, let the input and output conditions be It and 
Oi respectively. 

Suppose also that we only require that instances of the template Tr be par- 
tially correct and terminating (i.e. PC{r,Sr) holds for each instance). Let t be 
a ground term such that Ir{t), and consider the open goal ^ r{t,Y). We have 
to prove that Tr terminates with some answer Y = u. We have the following 
possibilities: 

1. The next goal is ^ primitive{t), solve{t,Y), and primitive{t) succeeds. We 
are blocked, but we can unblock the situation by abducing that PC {solve, 
Ssoive) holds and that: 

Ir{t) A Oprim{t) ^ ^ solve it) (2) 
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2. The next goal is <— primitive{t) , . . . or <— -^primitive(t) , . . and the call to 
primitive(t) does not terminate. We have to exclude this case, so we assume 
TC {primitive, S primitive) and: 

Ir{t) i Iprim{t) (3) 



3. The next goal is <— ^primitive{t) , . . . and primitive{t) finitely fails. Then 
we get the goal ^ decompose{t, HX,TX\, TX 2 ),r{TXi,TYi),r{TX 2 , TY 2 ), 
compose{HX,TYi,TY 2 ,Y). Again, we are blocked, but we can unblock the 
situation by assuming: 

Idec{t) A Odec{t, HX, TXi, TX 2 ) ^ A(TAi) A TXi -< tA . . 

Ir{TX2) A TX 2 At ^ > 

where ^ is a well-founded relation.0By structural induction, we can see that, 

if PC {decomposers decompose), P C {compose, S compose), and 

Ir{t) A ^Oprim{t) ^ Idec{t) (5) 

Idee{t) A Odec{t, HX, TAi, TAa) A Or{TXi,TYi) A Or{TX2, TY 2 ) , , 
^ Icomp{HX,TYi,TY2,Y) 

then the computation terminates with an answer for Y. Indeed, by the in- 
duction hypothesis, we can assume that, for TXi A t and TX 2 A t, program 
Tr computes TYi and TY2 such that Or{TXi,TYi) A Or{TX2,TY2) holds. 

Thus, we have abduced: 



PC{v,Sr) TC {primitive, Sprimitive) , PC {solve, S solve) , /y\ 

PC {decompose, S decomposed , PC{cOmpOSe, S compose) 

PC{solve, Ssoive), PC{decompose,S decompose), and P C {compose, S compose) ad- 
mit correct programs only if their specifications Ssoive, Sdec and Scomp are such 
that 

Idec{t) ^ ^HX, TXi, TX 2 . Odec{t, HX, TXi,TX2) 

Icomp{HX, TYi, TY 2 ) ^ 3T . Ocomp{HX, TYi, TY2,Y) (8) 

^solve{l') ^ 3T . O solve{t, Y) 

Now we have to prove that Tr is partially correct. For this, we assumeEl 



r{x,y) 

primitive{x) 
solve{x, y) 

decompose{x, hx, tx\,tx2) 
compose{hx, ty\,ty2,y) 



^ ~^Ir{x) V Or{x,y) 

^ ~^iprim{x) V Oprim{x) 

~'^solve{x) V Osolve{^,y) 

^ ~^Idec{x) V Odec{x,hx,tXi,tX 2 ) 
~'^comp {hx,tyi,ty 2 ,y)y 

Ccomp{hx, tyi , ty2 , y) 



(9) 



^ In the isoinitial model and, hence, in the Herbrand base of the closed version T{ of 
Tr. 

® Here we make use of the fact that if F\j{ix : X, V?/ : Y . r{x, y) ^ ^Ir{x)\/Or{x, y)} h 
Tr, then Tr is partially correct wrt Sr- See |12|. 
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We have to prove that JFU(9) h T^. Let us try to prove the first clause. We 
abduce: 

^Ir{x) V Or{x,y) ^ ( V ^ (^) V Osolve (x,y)) 

This is logically equivalent to 

Or{x,y) ^ Ir{x^ A {~^Iprim{s^^ ^ ^przm(^)) A (^) V ^solve (x,y)) 

Since any instance IF must prove the p-axioms of S and since we have already 
abduced (2) and (3), we can simplify this to: 

OriXj p) Iri^x) A O primix^ A OsolveiXj y) 

By an analogous reasoning, from the attempt of proving the second clause, we 
obtain the simplified p-axiom: 

Or{Xj y) ^ Ij' (x) A ^Oprim (^) F O dec {Xi hXj tX\ , tX2^ A fill 

Or{txi,tyi) AOr{tx 2 ,ty 2 ) AOco7np{hx,tyi,ty2,y) 

As before, the simplification of the input conditions is due to the p-axioms al- 
ready abduced. 

By the above proof, we have abduced a schema containing a suitable signa- 
ture, our template, the termination requirements (7), and the p-axioms (2) . . . 
( 11 ). 

This schema is correct, but it contains redundancies, due to constraints that 
make some parameters depend on others. We can try to simplify it as follows: 

1. When we use the schema, we know the actual specification, which specifies 
in IF a program such that PC{r, Sr) holds, so we can instantiate Ir, Or, 
X, and Y. 

2. Then we instantiate A by a well-founded relation on X. 

3. Now the two constraints (10) and (11) contain four unknown output condi- 
tions. If we fix some of them, we can hope to deduce the other ones, and to 
simplify some constraints. In a divide-and-conquer strategy, it is reasonable 
to assume that we first choose the decomposition, i.e. Idee and Odec- We 
now have to infer Iprim and Oprim such that they satisfy the constraints (3) 
and (5). A possible reduction is based on the observation that (5) is logi- 
cally equivalent to Ir{x) (Oprim(x) ^ -^ldec(x)). We replace ^ by 
By identifying Iprim and A, we satisfy (3) and can thus reduce Sprim to: 

Ir{x) {primitive{x) ~^Idec{X)) 

hence setting Oprim to ^Idec- 

4. Now, by substitution and a simple logical manipulation, we transform (10) 
and (11) into: 

Iri,x) A Sdec{x) ^ (Or(x, y) < O solve^X , y)) 

Ir{x) A Idec{x) A Odec{x, hx,tXi,tX2) A Or{tXi,tyi) A Or{tX2,ty2) 
{Or{x,y) ^ O comp{hx,tyi,ty 2 ,y)) 
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where the unknown predicates Ocomp and Osoive are defined, on the right- 
hand side of by <— instead of We can assume strongei®constraints, 
by replacing ^ by We get a conditional definition of Osoive and Ocomp- 
Moreover, S solve and Scomp can be reduced to: 

A ^Idec (x) (solve(x, y)^Or(x, y)) 
Odec{x,hx,txi,tX2) A Or{txi,tyi) A Or{tX2,ty2)^{compose{hx,tyi,ty2,y) 

^ Or{x,y)) 

Using the reduced specifications, we see that the constraints (zura, and 
the second and third constraints of (0 become proved. 

Therefore we obtain the schema VC as defined in Example Q 
The above abduction process proves the following theorem: 

Theorem 1. (Correctness of the divide-and-conquer schema) 

The schema VC in Example El with the addition of the termination requirement 
(E’ is correct, i.e. it contains a steadfast template. 

This theorem is related to the one given by Smith m for a divide-and- 
conquer schema in functional programming. The innovations here are that we 
use specification frameworks and that we can thus also consider open programs. 
Moreover, we could also prove total correctness (and not just partial correctness 
as we have done here), because we are in a relational setting. Finally, we elim- 
inated Smith’s Strong Problem Reduction Principle by endeavouring to achieve 
these objectives. 

Finally, we can specialise a schema to a data type. For example, we can 
incorporate the data type of lists with generic elements, by incorporating in S 
the framework CTST{X, <), or part of it. All the properties of S are inherited, 
and we can add further properties. For example, we can already know at the 
schema level that the relation defined hy A ^ B ^ I (A) < 1{B) is a well- 
founded relation in every instance of the schema, and therefore that it is one of 
the candidates to be used when instantiating the template. 

4 Using Correct Schemas in Practice 

Our characterisation of correct program schemas allows us to synthesise stead- 
fast open programs. This is a significant step forwards in the field of synthesis, 
because the synthesised programs are then not only correct, but also a priori 
correctly reusable. This is achieved by means of steadfast templates together 
with their constraints. However, since we have identified correct templates with 
steadfast programs, there seems to be some circularity in our argument: how 
can we guide the synthesis of steadfast programs by steadfast programs? The 
answer is that some open programs are “more open” than others, and that such 

^ This reduces the search space, but, in general, it could cut some solutions. We do 
not discuss this issue here. 
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“more open” programs thus have more “guiding power,” especially considering 
the specifications for their open relations. In |0, we discuss the synthesis of 
steadfast programs guided by correct schemas. To conclude this paper, in this 
section we briefly outline the main ideas. 

Much of the program synthesis process can be pre-computed at the level 
of “completely open” schemas. The key to pre-computation is such a schema, 
especially its constraints. These specifications can be seen as an “overdetermined 
system of equations (in a number of unknowns)”, which may be unsolvable as 
it stands (for instance, this is the case for the divide-and-conquer schema in 
Example El). An arbitrary instantiation (through program extension), according 
to the informal semantics of the template, of one (or several) of its open relations 
may then provide a “jump-start”, as the set of equations may then become 
solvable. 

This leads us to the notion of synthesis strategy (cf. Smith’s work [P5J). 
as a pre-computed (finite) sequence of synthesis steps, for a given schema. A 
strategy has two phases, stating {i) which parameter(s) to arbitrarily instantiate 
first (by re-use), and (ii) which specifications to “set up” next, based on a pre- 
computed propagation of these instantiation(s). Once correct programs have 
been synthesised from these new specifications (using the synthesiser all over 
again, of course), they can be composed into a correct program for the original 
specified relation, according to the template. There can be several strategies for 
a given schema (e.g.. Smith m gives three strategies for a divide-and-conquer 
schema), depending on which parameter(s) are instantiated first (e.g., decompose 
first, or compose first, or both at the same time). 

Synthesis is thus a recursive problem reduction process followed by a recur- 
sive solution composition process, where the problems are specifications and the 
solutions are programs. Problem reduction stops when a “sufficiently simple” 
problem is reached, i.e. a specification that “reduces to” another specification 
for which a program is known and can thus be re-used. This is thus the “base 
case” of synthesis, and requires a formalisation of the process of re-use (see 
for details). 

Let us illustrate these ideas on the divide-and-conquer schema. In 0, we 
design the following strategy for it: 

1. Select an induction parameter among x and y (such that it is of an 
inductively defined sort). Suppose, without loss of generality, that x is se- 
lected. 

2. Select (or construct) a well-founded order over the sort of the induction 
parameter. Suppose that ^ is selected (from a “knowledge base”). 

3. Select (or construct) a decomposition operator decompose. Suppose 
that the following specification is selected (from a “knowledge base” ) : 






Vx,ti,t2 : X,V/r : H. 

Idec(x) — > {decompose{x,h,ti,t 2 ) ^ Dec{x,h,ti,t 2 ))- 
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4. Set up the specification of the discriminating operator primitive. 
This amounts to first deriving a formula G such that 

T \= Mx, txi , tx 2 : X, yhx : H . G{x)t\ 

Dec{x, hx, tXi,tX2) <-> Ir{tX\) A Ir{tX2) A tXi ^ X A tX2 -< X, 
and then setting up the following specification: 

Vcc : X . primitive{x) ^ -^{Idec{x) A G{x)). i^prim) 

5. Set up the specification of the solving operator solve. All place-holders 

of S solve are known now, so we can set up a specification by instanti- 

ating inside S solve- 

6. Set up the specification of the composition operator eompose. Sim- 

ilarly, all place-holders of Scomp are known now, so we can set up a specifi- 
cation by instantiating inside Scomp- 



Four specifications (<S'^gc> ^prim’ ^'soive^ ^comp) have been set up now, so four 
auxiliary syntheses can be started from them, using the same overall synthesiser 
again, but not necessarily the (same) strategy for the (same) divide-and-conquer 
schema. The programs Pdec Pprim, Psoive, and Pcomp resulting from these aux- 
iliary syntheses are then added to the open program P^ of the schema, which 
extension of Pr is guaranteed, by Theorem [Q to be steadfast. 



Example 7. (A Sample Synthesis) 

Suppose in CIST {Elem, <) we want a steadfast sorting program with termina- 
tion requirement PG{sort, Ssort)- 

First, we select the specification of a decomposition operator part, partition- 
ing a list L into its first element h, the list A of its remaining elements that are 
smaller (according to <) than h, and the list B of its remaining elements that 
are not smaller (according to <) than h: 

-vL = nil ^ {part{L, h, A, B) ^ . 

L=h.TA perm{A\B, T)AA\ZhABZih) [Spart) 

where the following axioms: 

L C e ^ Va; . mem{x, L) ^ x <\e 
L □ e ^ Va: . mem{x, L) ^ <\e 



are added to CIST{Elem, <). 
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In pll, we synthesise the following extension of the divide-and-conquer tem- 
plate by using the strategy outlined above: 



sort{L, S) 
sort{L, S) 

primitive{L) 
solve{L, S) 
part{L, h, A, B) 
part{L,p, A, B) 
part{L,p, A, B) 
part{L,p, A, B) 
compose{e, C, D, S) 



primitive{L), solve{L, S) 

^primitive{L) , part{L, h, A, B), 
sort{A, C), sort{B, D), compose{h, C, D, S) 

L = nil 
S = nil 

L = h.T, part{T, h, A, B) 

L = niZ, A = nil, B = nil 

L = h.T, h <\p, part{T,p, TA, TB), A=h.T A, B = TB 
L = h.T, ~^h <\p, part{T,p,T A,TB), A = TA, B = h.TB 
append{C, e.D, S) 



This is the classical Quicksort program. After a series of unfolding steps, this 
program can easily be transformed into the program of Example Ei Note that 
this is an open program, as there are no clauses yet for append, nor for <. 



5 Conclusion 

We have shown that program schemas can be expressed as open (first-order) 
specification frameworks containing steadfast open programs, and we have out- 
lined how correct and a priori correctly reusable (divide-and-conquer) programs 
can be synthesised, in a schema-guided way, from formal specifications expressed 
in the first-order language of a framework. These aspects of schema-guided syn- 
thesis are our new contribution. 

Our work is very strongly influenced by Smith’s pioneering work in func- 
tional programming in the early 1980s. This is, in our opinion, inevitable, as this 
approach seems to be the only structured approach to synthesis. Our work is 
however not limited to simply transposing Smith’s achievements to the logic pro- 
gramming paradigm: indeed, we have also enhanced the theoretical foundations 
by adding frameworks, enlarged the scope of synthesis by allowing the synthesis 
of a larger class of non-deterministic programs, and simplified (the formulation 
and proof of) the theorem on the correctness of the divide-and-conquer schema 
(Theorem El). 

Future work includes redoing the constraint abduction process for a more 
general (divide-and-conquer) template, namely where nonPrimitive{x) is not 
necessarily -^primitive{x) , and developing the corresponding strategies, in order 
to allow the synthesis of a larger class of non-deterministic programs. 

Other strategies for the divide-and-conquer schema need to be elaborated, 
and other design methodologies need to be captured in program schemas and 
strategies. 

Another important objective is the development of a proof system for deriv- 
ing antecedents (as needed at Step 4 of the given strategy) and for obtaining 
simplifications of output conditions (the specifications and are often 

amenable to considerable simplifications) . Eventually, a proof-of-concept imple- 
mentation of the outlined synthesiser (and the adjunct proof system) is planned. 
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Abstract. The paper focuses on practical analyses for logic programs 
with delay. The method described is for downward-closed program prop- 
erties and, in particular, groundness. A program transformation is de- 
Hned which eliminates the delay statements but still enables an accurate 
approximation of the behaviour of delayed goals to be traced by the anal- 
yser. An implementation has been built which shows that the analysis 
can be both accurate and efficient. 



1 Introduction 

Second-generation logic programming languages, such as Godel, IF/Prolog, SIC- 
Stus Prolog provide flexible computation rules in which goals delay if their argu- 
ments are insufficiently instantiated. Goals are reawoken, later on, if their argu- 
ments become further instantiated. In these languages the default computation 
rule is left to right. Flexible computation rules can provide a sound treatment 
of negation, underpin constrained search, improve termination behaviour of pro- 
grams and allow co-routining. The program permute illustrates the use of the 
block declaration of SIGStus Prolog. 



permute([ ],[]). 
permute([u|a:l], y) 

remove(ti, y, z), permute(a;l, z). 

remove(a;, [tt|ul], z) 

new_remove(u, ul, x, z). 

block new_remove(?, 
new_remove(a:, x, z, z). 
new_remove(a:, u, yl, [w| 2 l]) 
remove(a;, yl, zl). 



ordered ([ ]). 
ordered ([a;]). 
ordered([a;, y|z]) 

new_ordered(a:, y, z). 

block new_ordered(— ,?,?), new_ordered(?, —, ?). 
new_ordered(o;, y, t/s) 

X < t/,ordered([t/|j/s]). 



Declaratively, the predicate permute/2 is true iff the first argument is a permu- 
tation of the second, remove/3 holds iff the second and third arguments are lists 
and the third can be obtained from the second by removing an element which 
corresponds to the first argument. The block declarations ensure that permute 

Norbert E. Fuchs (Ed.): LOPSTR’97, LNCS 1463, pp. 1 4R- I1 (Sfl 1998. 

© Springer- Verlag Berlin Heidelberg 1998 
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terminates for all queries. In the declaration block new_remove(?, ?, — , — ), the 
” in the third and fourth argument positions means that in a call to new_remove/4, 
if the third and fourth arguments are both uninstantiated then the call will de- 
lay until one of these arguments becomes instantiated. Without the new_remove 
block declaration, the query ?- permute([l, 2], x). would backtrack into an infinite 
loop after producing the single solution a; = [1, 2]i 

The query ?-ordered(j/), permute([2, l],y). is an example of the generate-and- 
test paradigm and illustrates how block declarations can be used to improve 
efficiency. The block declaration for new_ordered/3 delays goals until both the 
first and second arguments are non- variable. This causes the ordered/1 goals to 
co-routine (interleave) with permute/2 goals constraining the search and reducing 
backtracking. 

Groundness analysis detects which program variables are bound to ground 
terms and is important in detecting determinacy, simplifying unification, etc. In 
0 it is also shown that groundness information can be used to simplify delay 
conditions, thus enabling transformations which give significant improvements 
in performance. In particular this allows the elimination of redundant delay dec- 
larations. Consider a groundness analysis for the query ?- @permute([l, 2], y)(5). 
where @ and ® denote program points. Groundness analysis should infer that 
y is ground at ® but may be either ground or non-ground at @ . Frameworks 
capable of tracing groundness in the context of co-routining, however, tend to 
be either imprecise or inefficient. This is reviewed in the related work section at 
the end of the paper. One of the major problems is in tracing the behaviour of 
delayed goals. Our method deals with this problem by transforming programs 
into abstract programs which have no delay statements but which can still trace 
the effects of the delaying goals. This enables potentially very efficient analyses. 

In a highly efficient groundness analysis using the Pos domain is given 
based on abstract compilation techniques. Following these techniques, we show 
that the Pos domain gives an accurate analysis for the special case of groundness. 
For example, with the above query to permute, our method will detect that y 
will be ground at program point ®. The method is simple to implement, and 
the results for the programs tested so far indicate an efficient analysis for small 
and medium-sized programs. 

The rest of the paper is organised as follows. In the next section a worked 
example demonstrating our approach is given. Section 3 gives the standard def- 
initions and notation used. Section 4 defines the Pos domain whilst section 5 
formalizes the program transformation central to the analysis and describes the 
abstract semantics. Section 6 outlines the implementation method whilst sections 
7 and 8 summarise related and future work respectively. 



® Note that an additional block permute(— , — ) declaration might also be useful since 
the query ?- permute(a;, y) enumerates its solutions in the following order: x = [],?/ = 
[ ];* = [zi],y = [zi]',x = [zi,Z2],y = [zi,Z 2 ]-,x = [zi,z2,Z3],y = [Z 1 ,Z 2 ,Z 3 ] etc, 
missing solutions such as a; = [zi,Z 2 ],y = [z 2 ,zi]. Unfairness can be avoided by 
delaying the call permute(a;, y) until either of its arguments are instantiated. 
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2 Worked Example 

To illustrate our approach to groundness analysis, consider the following query 
program below with initial goal query(x,j/) annotated with program points 
@7 ®7 ©) @ and ©. 



query(x, y) @delay(x, y), ®x = [ ] @ . 

block delay(— , ?). 
delay(x,y) @x = y © . 

The equations (j)a = <pb = £, 4>c = {x = [],y = []} represent the actual bindings 
on X and y at ® and © respectively. 

Our method basically transforms the program to a Datalog program which, 
although free from delay statements, can still trace synchronisation behaviour. 
The abstract program for query is listed below. Let gr{x) denote that x is a 
ground term. The unification x = [ ] has been abstracted by the propositional for- 
mula gr{x). The block declaration is modelled by the formula gr{x) — > {{gr{x) <-e- 
gr{x')) A {gr{y) ee- gr{y'))). The unification x = y has been abstracted by the 
propositional formula gr(x') gr(y'). The intention is that x' and y' will be 
unified with x and y whenever x is a ground term. 

query(x,j/) @de\ay{x,y) , ©){gr{x)} Q 

delay(x,y) @{gr{x) {{gr{x) ^ gr{x')) A {gr{y) ^ gr{y'))) 

A{gr{x') ^ gr{y'))} Q 

Restricting the formula on the right hand side of delay(x, y) to just the variables 
X, y we get the formula gr{x) {gf'{x) ^ gr{y)). At the program points @ and 
©, gr{x) holds and so at © the abstract description will be gr{x) A (gr{x) ^ 
gr{y)). This is logically equivalent to gr{x) A gr{y). Hence it has been deduced 
that X and y are both ground at © and so this is the answer pattern for delay. 

With the block statements removed, the call and answer patterns can now 
be computed automatically by transforming the abstract program with a query- 
answer transformation and then calculating the minimal model. Implementa- 
tion is thus straightforward even though synchronisation behaviour is accurately 
traced. Note that, in the case of the permute program, the analysis is powerful 
enough to infer that if the call pattern for permute(x,y) has x ground, then the 
answer pattern will have both x and y ground. 

3 Preliminaries 

3.1 Syntax of Logic Programs 

Var denotes the set of variables. Term the set of terms, Fred the set of predicate 
symbols. Atom the set of atoms of the form p{x) where p is a predicate symbol 
and X are distinct variables. Eqn denotes the set of finite sets of equations of the 
form a = b where either a,b € Term or a, b G Atom. A literal is either an atom 
or an equation whereas a goal is a finite sequence of literals. The sets of literals 
and goals are denoted by Lit and Goal respectively. A clause is a syntactic object 
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of the form h ^ b where h, the head, is an atom and b, the body, is a finite 
sequence of literals. Prog is the set of programs, that is, the set of finite sets of 
clauses. Var, Term, Atom, Eqn, Lit, Goal and Prog respectively have typical 
members v, w, x, y, z\ t; a, b; e; Z; G and P. Pq denotes a program P with initial 
goal G. Initial goals are restricted to be single atoms. Also var(obj) denotes the 
set of variables in a syntactic object obj, :: denotes concatenation of sequences, 
and e denotes the empty sequence. 

The set of idempotent substitutions from Var to Term is denoted Sub and 
the set of renamings (which are bijective mappings from Var to Var) is de- 
noted Ren. Sub and Ren extend in the usual way from functions from variables 
to terms, to functions from terms to terms, to functions from substitutions to 
substitutions, to functions from atoms to atoms and to functions from clauses 
to clauses. The restriction of a substitution 6* to a set of variables U is denoted 
by 9 \ U and the composition of two substitutions 9 and t) is denoted by 0 o 1? 
and defined such that {9 o d){u) = 9{'d{u)). e denotes the empty substitution 
and sets of substitutions will usually be denoted by <P and T. There is a natural 
mapping from substitutions to equations, that is, eqn{9) = {u = t\u ^ t & 9}, 
and mgu(E) denotes the set of most general unifiers for an equation set E. 

Let < denote the instance ordering, that is, 9 < 9' iS there exists a substitu- 
tion (7 G Sub such that 9 = ao9' . Similarly, a syntactic object o is an instance of 
another o' , denoted o < o' , iff there exists a substitution a such that o = cr(o'). 
Instance lifts to p{Atom) by / < /' iff for all a G I there exists a' G T such that 
a < a' . This, in turn, defines the equivalence relation that is / ^ iff / < J' 
and T < I. Finally, the (quotiented) set of interpretations Int = p{Atom)/ ^ is 
ordered by iff / < /'. 

3.2 Operational Semantics of Logic Programs with Delay 

The operational semantics is described in terms of reductions between states. 
The set of states is defined by State = Goal x Sub x Goal. A state (G, 9, D) 
records a sequence of literals G, the current substitution 9, and a sequence of 
delayed atoms D. For a given state s and a program P, the relation is 
defined such that h ^ b P iff there exists p G Ren such that p{h ^ b) G P 
and var(h ^ 6) n var(s) = 0. Similar to |E], to abstract away from particular 
language considerations, the operational semantics is defined in terms of two 
parametric functions reduce and woken. (In [II tij . a delay truth function is used 
instead with delay = -^reduce.) We say the atom a reduces with the substitution 
9 whenever reduce{a, 9) holds, whereas woken{D, 9) denotes the subset of atoms 
in D (ordered as a sequence) that are woken with the substitution 9. These 
functions are assumed to satisfy four conditions: 

1. a G woken{D, 9) a G D and reduce{a, 9). 

2. reduce{a,9) iff reduce{p{a) , p{9)) for all p G Ren. 

3. reduce{a,9) iff reduce{a,9 \ var(a)). 

4. \i9 <§ and reduce{a,d) then reduce{a,9). 

Definition 1 (reduction). The relation s— >ps' where s,s' G State is defined 
as follows: 
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— if s = {x = t :: G , 9 , D) then s' = {D' :: G,9' ,D \ D') where 
9' G mgu({x = t} U eqn(0)) and D' = woken{D, 9'); 

— if s = {a :: G,9,D) and reduce{a,9) holds then s' = (6 :: G,9',D) where 

b <Cs P and 9' G mgu({h = a} U eqn(0)); 

— if s = (a :: G, 9, D) and reduce{a, 9) fails then s' = {G, 9, a :: D). 

Note that when an atom a has no defining clause, reduce{a,9) fails and it is 
added to the delay sequence. In practise such an atom will usually cause an er- 
ror. These atoms are reduced, however, to avoid the need for an error state and 
thus provide a simple basis for analysis. Also the relative execution order of si- 
multaneously reawoken goals is left undefined to reflect the scheduling behaviour 
of implementations like SICStus [3] and IF/Prolog UJ. Our analysis defined in 
this paper is not dependent on any particular scheduling order for these atoms. 

Definition 2 (derivation). A derivation from a state s for a program P is a 
(finite or infinite) sequence of reductions si— >pS 2 ^p ■ • ■ where s = si. 

The operational semantics of a program is in terms of its qualified answers. 
Given a derivation from a state s and a program P with last state (e, 9, D) we 
say the tuple {9, D) is a qualified answer to s. It is successful if D = e and it 
flounders otherwise. Call patterns can now be defined in terms of the operational 
semantics. 

Definition 3 (call patterns). For a given program P and initial goal G, 
call(PG) = [{(1,0 [var(l)) | (G, e, e)^p*(l :: G', 0, D)}].. 

3.3 Galois Connections 

A Galois connection between D'^ and D is a 4-tuple {D {i=),a,D^ (E'^), 7 ) 
where D (C) and (E"^) are posets; a : D ^ and 7 : ^ D] a and 7 

are monotonic; d C 7 (a(d)) for all d G D and a( 7 (d"^)) E"^ for all d-^ G D^. 

We next formalise the notion of a downward-closed property, following a 
similar approach to P] . 

Definition 4 (downward-closure). 

— Given a poset D (C), the downward-closure of S' C D is defined by down{S) 
= jd G D I 3s G S.d E s}- S is downward-closed iff down{S) = S; 

— A Galois connection {D (CI),a,iD'^ (E^), 7 ) is downward-closed iff for all 
d-^ G l{d'^) is downward-closed. 

A predicate p on a poset D (C) is a subset of D and therefore is downward- 
closed iff the set p is downward-closed. A truth-function is downward-closed iff 
the predicate it defines is downward-closed. 



Example 1. Given the standard instance ordering on terms, the unary predicates 
gr and nv are downward-closed where gr and nv are defined such that gr{t) holds 
iff t is ground, and nv{t) holds iff t is non-variable. □ 
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4 Abstract Domains 



Abstract substitutions A Pos domain is used to capture positive information 
about 

downward-closed predicates. Following Q, we let l7s({A, V, denote the 
set of propositional formulae formed from the set of connectives {A, V, <-->, ->} and 
a set of propositional symbols S. A truth assignment is a function r : S — > {0, !}■ 
Given /, f S V, ->}), r \= f denotes that r satisfies / and the notation 

f \= f' abbreviates r \= f implies r ^ /'. Two formulae are logically equivalent, 
/ = /', iff / h /' and /' h /• 

To enable an analysis to simultaneously trace and relate multiple downward- 
closed properties, like groundness and non-variable (denoted from here on by gr 
and nv respectively), on a set of program variables V , Pos is defined in terms of a 
set of propositional symbols {gr{v), nv{v)\v S F}. More generally, given n prop- 
erties, pi, . . . ,Pn, the set of propositional symbols is {pi{v) |uGFAl<i< n}. 
As notation, we will usually add the j) annotation to denote abstract substitu- 
tions, that is, to indicate propositional formulae. 

Definition 5. Posy = {/ G 175({A, V, <-^, ->}) | u |= /} where S = {pi{v)\v G 
V} and u : 5" ^ {1} denotes the unit truth assignment. 

Note that if Posy is defined for a single predicate p\ then the definition can 
be simplified so that just the variables themselves represent the property. This 
special case coincides with the groundness analysis of 0,Q^]. Posyj= (|=) 
is a complete lattice with lub V and gib A and the least and greatest elements 
false and true Q. 



Abstraction and concretisation of substitutions To formalise the relationship be- 
tween a substitution and a formula an auxiliary function assign y is introduced. 
Because Pi{v) can be used both as a propositional symbol and to assert that pi 
holds for V, for clarity, in what follows a truth- function fi is used to test for a 
property in the concrete whereas pi is used for a symbol in abstract formulae. 



Definition 6. assigny{cj)) = A”=i A-ugv 9i('y) where qi{v) 



\Pi{v) ifA(u) 
\^Pi{v) if ~^fi{v) 



Note that assign y{4>) is not necessarily positive. 



Example 2. Suppose V = {x,g,z}, pi = gr, p 2 = nv, 4> = {x f{y)} and 
(j)' = {x I— ^ /(I),?/ 1 -^ 1} (note that 4>' < (f). Then 

assigny{(j)) = ^gr(x) A nv{x) A ~^gr{y) A ~^nv{y) A ~^gr{z) A ~^nv{z) and 
assigny{4>') = gr{x) A nv{x) A gr{y) A nv{y) A ^gr(z) A ~^nv{z). □ 



We can now define the concretisation and abstraction functions 7 and a. 

Definition 7. 



7 v : Posy p{Sub), ay : p{Sub) — > Posy 

= {<(> |Vp < -assign y{(p) \= (j)^, ay{<E) = A^c^vf^#) 
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Note that defining on Posy ensures that ay{<l>) £ Posy. 

Example 3. Suppose V = {x,y,z}, pi = gr, p 2 = nv and (p = {x /(?/)}• Let 
ipp = (gr{x) gr{y)) A nv(x). Then p £ ^y{(j)^) since assigny{(f>') |= (/>** for all 
p' <p. □ 

We now have a Galois connection between the abstract and concrete domains as 
stated below. 

Proposition 1. {p{Sub) {PP),ay, Posy (H)j7v") is a Galois connection. 

We also want to abstract concrete interpretations, which we shall use to define 
abstract call patterns. This is done by pairing atoms with formulae as follows: 

Definition 8. 



AtomP = \p £ Pred f\ £ PoSvar(a;)} 

The concretisation and abstraction functions can be naturally extended to in- 
terpretations as follows: 

Definition 9. 

7 : p{AtomP) — > Int 

7(L“) = [{(p(a;),0 r var(a;)) | {p{x),4P) £ I# A ^ £ 7var(a=) (</>“)}]- 

7 induces a natural equivalence relation on p{AtomP), that is l'^ « iff 7 (/**) = 
7 (/t* ). This in turn is used to define Int^ = p{Atom '^)/ the abstract analogue 
of Int. An ordering for Int^ is given by [/**]~ G [/** ]~ iff 7([/**]«) C 7 ([/** ]~) and 
the lub is defined by 

Definition 10. 

7 : Int^ — > Int a : Int — > Int^ 

7(L“) = [7(/“)]=««(L)=U/c,a/.M[^*]- 

We can thus prove: 

Proposition 2. {Int'^ (<),7) is a Galois connection. 

5 Abstract Compilation 

First we define the set of monotonic formulae, Mony. 

Definition 11. Mony = l7s({A,V}) where S = {pi{v)\v £ V}. 

For technical reasons apparent in the proof for safety, we define the abstract 
reduce function in terms of monotonic formulae. We will use certain properties of 
monotonic formulae in the proof. Here it suffices just to note that Mony C Posy. 
See, e.g. [7], for details. 
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Definition 12. 

reduce\p{x),(j)^) ^ G A V</> G 7var(a=) (</>*) .reduce{p{x),(j))). 

The intention is that an abstract goal will never reduce if its corresponding 
concrete goal never reduces. 

Example 4- Let us define reduce^ (p{x) , G 7var(a;) (</>*) ■reduce{p{x) , (p) . 

In SICStus Prolog, given the declaration block p{d\, ...,dn) for the n-ary pred- 
icate p, where di G { — ,?} for 1 < t < n, then an abstract reduce function 
is: 

reduce^ (p{x), 1= V nv{xi) 

di = - 

□ 

Next we define the program transformation central to the analysis. For clarity, 
we introduce a notation for writing propositional formulae in terms of their vari- 
ables rather than the properties of the variables (which strictly speaking are the 
propositional symbols), e.g. given the propositional formula q{p\{x), ...,pn{x)) 
we denote this by q{x). 

Definition 13 (abstract compilation a). 

0:|ci , . . . , CyiJ — Oclause |ci]] , Obot ■ 5 O^clause |Cn|] , O^bot [[^nj] 

aclauseb(a^) ^ =P{x') ^ (4 ^ (/)|) , Ogoal M 

ahotMx) ^ = p{x) ^ pI 

Q^goalPli • ■ • ? ^n| — CtliteralPlUi ■ • ■ i Q^literal Pn]] 

aiiteralb(^)! = P(^) 
aiiteralP = t'j = pi 

where 

' 4>i = A* 

^ reduce'^ ^ 

= «Lr(a==a=')(nigu({a; = x'})) 

>? = «Lr(t=t')(mgu({t = t'})) 

and x' are fresh variables, that is, var(a;') n var(p(a;) <— 6) = 0. 

Example 5. The abstract program for the program permute listed in section 1 is 
below. First note we have written new to denote the predicate new_remove. The 
first (normalised) clause for permute is 

permute(w, v):- m = [ ], f = [ ]. 

This is abstracted by the propositional formula nv{u) A gr{u) A nv{v) A gr{v). 
When Obot is applied to this same clause the propositional formula p\ obtained 
is again nv{u) A gr{u) A nv{v) A gr{v). 
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Next we turn to how the block declaration 
block new_remove(?, 

has been abstracted. Following Example E] the abstract reduce condition is mod- 
elled as follows: 

reduce^ {new_remoye{u,v,w,x),(j)^) ^ (f>'^ \= nv{w) V nv{x). 

For convenience, a separate predicate reduce is defined. This essentially consists 
of the propositional formula {cj>l cj>l) as given in the formal definition above. 



permute(M, v) 

{ nv{u) A gr{u) A 
permute(«, v) 

{ nv{u) A gr{u) <- 
remove(w, v, y), 
permute(a;, y). 

remove(M, v, w) 

{ nv{v) A {gr{v) <- 
new(rt, x, y, w). 
remove(u, v, w) 

( nv[v) A nv{v) A 
I gr{v) A gr{v) A 



new(M, V, w, x) 

nv{v) A gr{v) }. reduce(new(«, v, w, x), new(u' , v' , w' , x')), 

( nv{u') <-> nv(v') A gr(u') <-> gr(v') A 1 
> {gr(w) A gr{x))}, \nv{w') ^ nv{x') A gr{w') ^ gr(x') J' 

new(u, V, w, x) 

reduce(new(M, v, w, x), new(u', v' , w' , x')), 
{ nv(x') A igr{x') ^ (gr(v') A gr{y)))}, 
remove(rt', w' , y). 

(gr{x) A gr{y))) },new(M, v, w, x) 

( nv{u) A nv{v) A nv(w) A nv(x) A 1 
\ gr(u) A gr(v) A gr(w) A gr(x) J ' 

nv(x) A 1 
gr(x) /■ 



reduce(new(u, v, w, x' 


, new(w' 


v' , w' , X 


')) 




' (nv(w) V nv{x)) — > 




' 




nv{u) <-> nv(u'] 


Agr{u) 


^gr(u') 


A 


< 


nv{v) <-> nv{v'] 


Agr{v) 


^gr(v') 


A 




nv{w) ^ nv{w' 


)Agr{w] 


^ gr{w'] 


A 




nv{x) <-> nv{x'] 


A gr{x) 


^gr(x') 





□ 



Note that having Obot as part of the definition will lose no precision in the 
analysis. This is because it merely adds the possibility that all properties might 
hold at (almost!) any point in the program. But since only downward-closed 
properties are considered, this is already implicitly assumed. We are, however, 
making sure that all the abstract programs will terminate. If termination is not 
ensured then information may be lost in the case when delayed goals remain 
unexecuted in the concrete program. 



Example 6. Suppose we had defined a\ci , . . . , c„] = Ociauselci], . . . , 0 !ciause[[c„]. 
Consider the call and answer patterns of the loop program (listed below on 
the left) with an initial goal go, and the corresponding abstract program (listed 
on the right) defined by loop^ = a poop] for a Pos domain that just traces 
groundness, that is, p\ = gr. 



go p{v),r{v) 
block p(— ). 
p{w) q{w). 

Q{y) ■- <i{y)- 

r(z). 



go p{v),r{v). 

p{w) {gr{w) {gr{w) ^ gr{x))), g{x). 

y[y) y{y)- 

r{z). 
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The only derivation for loop flounders and is finite 

(go;e; e)^ioop{p{w),r{w); e; e) ^ loop {r{w)-,e;p{w))^ loop {e; {w z};p{w)) 

whereas the only derivation for loop^ is infinite since q{y) will be executed. One 
consequence of this behaviour is that the control fails to reach the goal r{v) so 
that the abstract call patterns of loop^ do not safely abstract the concrete call 
patterns of loop, that is, 

call{loopgo) = [{(go,£),(p(a;),£:),(r(a;),£:)}].^ 

call*(Zoopgo) = [{(go, true), {p{x), true), {q{x), true)}]~. 
so that call(ZoopgQ) % 7 (call**(Zoopgo))- 

Defining a|ci, . . . , c„]] = Odauselcil, abotlci]] . . . , aciause[[c„l, abotIc„]| however, 
we instead get 



go p{v),r{v). 
go gr{v). 

p{w) {gr[w) {gr{w) ^ gr[x))), g{x). 
p{w) gr{w). 



Q{y) ■- <}{y)- 
y{y) ■- gr{y)- 

r(z). 

r{z) gr{z). 



The infinite loop caused by executing q{x) is now avoidable and so we get 
(r(x),e) e call**(loop|o). □ 



Finally, we introduce an operation to relax the propositional formulae obtained in 
the call patterns. The relax operation is required for technical reasons which are 
apparent in the proof for the safety of the analysis. For the case where only the 
property of groundness is analysed, the relax operator weakens a propositional 
formula to a (monotonic) conjunction of ground variables. 

Definition 14. 



relax v{4>^) = /\ {pi{x) \v G V A |= Pi{v) for 1 < i < n } 

relax{[I^~) = [{(p(a:), reZaa;var(a,)(</>*)) | {p{x),(j)^) G }]_ 

The following example illustrates the problems that can arise without this weak- 
ening of the formulae. 

Example 7. Consider the program P listed below on the left together with its 
corresponding abstract program P'^ on the right. 

go p[x, y), q{x, y). go p[x, y), q{x, y). 

block p(-,?). p{x,y) {gr{x) ^ gr{y)). 

p{x,y) X = y. q{x,y). 

q{x,y). 

With the initial goal go, the atom p{x, y) will be delayed and the call pattern for 
q{x,y) is (q{x,y),s). The abstract call pattern is {q{x,y),gr{x) gr{y)). Note 

that even though assz 5 n^aj.(q(x |= gr{x) — > gr{y), due to the downward- 

closure condition imposed on 7 we have e ^ 7 var(q(x,y))( 5 ?'(a;) ^ gr{y)). Ap- 
plying the relax operation, however, we instead get the abstract call pattern 
(q{x,y), true) and we now have £ G 7 var(q(x,y))(^^'we). □ 
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We now formally describe an abstract semantics. Like the concrete semantics, 
this is described in terms of reductions between states. The set of abstract states 
Stated is defined by Stated = Goal x Posvar- 

Definition 15. For an abstract program P\ the abstract reduction relation 
s— >P#s', where s, s' G State^ and s = {I :: I, (/>**), is defined as follows: 

— if / G F'oSvar(s) then s' = {I, (/)* A /); 

— if Hs p{x) and h ^ b <Cs P** then s' = {b :: I, <j)^ A ip^) where 

= avar(h=i)(w5u({/i = Z})). 

Thus an abstract derivation from an abstract state s® for an abstract program P® 
is an (finite or infinite) sequence of abstract reductions ■ • ■ where 

s# = si^*. Abstract call patterns can now be defined in terms of the abstract 
semantics. 

Definition 16. call**(Pt*Qit) = [{(1,0** [ var(l)) | (G**, trMe)^p#*(Z :: G**^0**)}]~ 

The theorem below ensures the safety of the analysis. The proof is given in the 
appendix. 

Theorem 1 (Safety). If P** = a|P]|, and G** = Qfgoai[G]| then 

call(PG) < 7(reZaa;(call(P**Git))) 



6 Implementation 

An analyser has been implemented in SICStus Prolog which takes, as input, 
SICStus Prolog programs with block and freeze declarations and produces, as 
output, call patterns for each predicate in the program. The analyser is largely 
based on [Q and essentially infers which program variables are bound to ground 
and non-variable terms. Following Q, Pos formulae are represented as their 
models and n-ary predicates iff(x, cci, . . . , Xn-i) are used to express formulae of 
the form x xi A . . . A Xn-i- 

Example 8. Consider again the abstract permute program and, in particular, the 
new and reduce predicates of example 0 In the case of new, each of its clauses are 
translated into a clause by expressing Pos formulae, like gr{x') {gr{v')/\gr{y)) 
and nv{x'), in terms of iff predicates, like iff(nv(x' )) and iff(gr(x'). gr(P), gr(y)). 
The single reduce clause, on the other hand, is expanded into three clauses, 
the formulae {x\ V X2) ^ X3 being logically equivalent to (xi A X3) V (x2 A 
X3) V (->xi A -'X2). The neg(x) predicate expresses ~^x. Note that although 
is not positive, the model represented by the disjunction of the three clauses is 
positive. Expressing implications as non-positive formulae merely simplifies the 
translation of block declarations. 
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reduce(new(u,w,w,a;), nevj{u' ,v' ,w' ,x')) 
iff(nv(ui)), 

iff(nv(«), nv(«')), iff(gr(u), gr(«')), 
iff(nv(n), nv(n')), iff(gr(n), gr(n')), 
iff(nv(w), nv(w')),iff(gr(w), gr(w')), 
iff(nv(a;), nv(a;')), iff(gr(a:), gr(a;')). 
reduce(new(u,n,w,2:), 
iff(nv(a;)), 

iff(nv(«), nv(ti')), iff(gr(u), gr(w')), 
iff(nv(n), nv(n')), iff(gr(n), gr(n')), 
iff(nv(w), nv(w')),iff(gr(rc), gr(w')), 
iff(nv(a;), nv(a;')), iff(gr(a;), gr(a;')). 
reduce(new(u,n,w,2:), nevj{u' ,v' ,w' ,x')) 
neg(nv(u;)), 
neg(nv(a;)). 

Finally, a magic transform (see, e.g. 0) coupled with bottom-up evaluation is 
used to calculate the call patterns of the predicates. □ 

The benchmarks below are arranged in order according to size. The first 
program permute.pl is defined earlier in the paper, slowsort.pl (a generate and 
test algorithm) and interl.pl (simple interpreter for co-routining programs) are 
NU-Prolog programs with dynamic scheduling written by L. Naish which have 
been translated into SICStus. nand.pl (a nand-gate circuit designer written by E. 
Tick) and transp.pl (a matrix transposer written by V. Saraswat) are programs 
with dynamic scheduling resulting from the automatic translation of concurrent 
logic programs by the QD- Janus system 0. Dynamic scheduling is used to em- 
ulate the concurrency present in the original programs. The programs send.pl 
(a cryptoarithmetic problem) and queens.pl (a coroutining n-queens) were pro- 
vided by M. Carlsson. Finally primes.pl (a lazy primes sieve) and permcon.pl (a 
monotonic permutation generator) have been written by ourselves. 



new(u, V, w, x) 

reduce(new(u,v,w,x), new(u' ,v' ,w' ,x')), 
iff(nv(«'), nv(w')), iff(gr(u'), gr(w')), 
iff(nv(w'),gr(a;')), iff(gr(w'),gr(a;')). 
new(u, V, w, x) 

reduce(new(u,v,w,x), new(u' ,v' ,w' ,x')), 
iff(nv(x')), 

iff(gr(a;'). gr(v'), gr(y)), 
remove(u', w' , y). 
new(u, V, w, x) 

iff(nv(«)), iff(nv(v)), iff(nv(w)), iff(nv(a;)), 
iff(gr(u)), iff(gr(v)), iff(gr(u;)), iff(gr(a;)). 



Program 


Cl 


Lit 


DL 


Analysis Time (Secs) 


permute.pl 


5 


4 


1 


0.00 


send.pl 


6 


13 


4 


0.01 


slowsort.pl 


9 


8 


8 


0.01 


primes.pl 


10 


12 


8 


0.01 


interpl.pl 


11 


10 


3 


0.01 


queens.pl 


12 


17 


1 


0.01 


permcon.pl 


21 


28 


7 


0.03 


nand.pl.pl 


90 


157 


13 


0.41 


transp.pl 


112 


180 


20 


1.10 



Cl is the number of clauses analysed. Lit is the number of literals and DL 
is the number of delaying literals. The analysis times are based on a Pentium 
200MHz PC machine with 64M of memory running SICStus prolog version 3.5 
under Linux where the analyser is compiled into compact code (byte code). 
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Our times indicate an efficient analysis for small and medium-sized programs. 
This is in contrast for the times reported in m for a groundness and non- 
variable analysis based on the more general closure framework of m- Although 
the results given in m were mostly acceptable, there were some anomalous 
times. In particular the time quoted for transp.pl was 168.5 seconds compared 
to 1.10 seconds using our analyser. (Note that this is not an exact comparison 
since the times are based on different machines.) 



7 Related Work 



Suspension- analysis framework The simple and practical framework of 0, though 
adequate for inferring suspension-freeness - its primary objective - it does not 
provide a suitable basis for accurately tracing properties like groundness since 
it abstracts the behaviour of possibly delaying goals in a very conservative way. 
Even when equipped with a Pos domain (rather than a traditional mode domain 
[0) the analysis cannot infer modes to the precision of our framework. 

Multiset framework The multiset framework of m uses a multiset to record 
which atoms are definitely delayed and which atoms are possibly delayed. How- 
ever, in [ inT| (which builds on and improves the method) it is reported that “the 
analysis is imprecise and rather inefficient in practice” . 

Closure framework In an attempt to alleviate some of the problems with the 
multiset framework, a closure based semantics is proposed in m- The semantics 
improves the precision but efficient implementation is still difficult. For example, 
for the approach to be practical, the implementation described in m makes 
“observational equivalence” of closures, represents closures in a special way, and 
uses a number of techniques, including the differential approach m, to improve 
the handling of cases when no atoms are delayed. Furthermore, this framework is 
more complicated than necessary for applications like determinacy analysis since 
the framework is aimed at tracing properties such as definite freeness that are 
not downward closed. Our work adapts and simplifies this work for applications 
like determinacy analysis. In m, the closure framework is used to underpin two 
program transformations: one that simplifies delay conditions, and another that 
reorders delayed literals. 

Abstracting synchronisation framework Our transform, which encodes syn- 
chronisation, is not to be confused with the NoSynch transform of pg which 
removes synchronisation from a concurrent constraint program. The work of 
shows how analyses developed for constraint programs can be used to reason 
about non-suspending concurrent constraint programs. 

Abstract compilation frameworks Our analysis blends the closure framework 
of [II ;tj with the abstract compilation work of 0 and |l 1)J . Abstract compilation 
and abstract programs have been proposed for deriving modes SE], encoding 
regular approximations m, inferring directional types |0 and deducing inter- 
argument relationships H- In addition, IP CU, HD and |0] present abstract 
compilation schemes in which analysis is realised as the bottom-up and top- 
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down evaluation of constraint logic programs. None of these approaches, however, 
traces synchronisation behaviour. 



8 Future Work 

Future work will focus on generalising the technique to other downwards-closed 
domains and then later to non downwards-closed domains. Another direction 
would be to investigate how demand-driven analysis can be used to infer the 
modes that suspending goals are reawoken with. We also plan to adapt widening 
techniques from [Q and investigate their effect on our method. 
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A Proof for Safety 

The first stage of the proof is to define semi-abstract reduction sequences. These 
are sequences where the selection rule of the concrete derivation is preserved. 
Hence each abstract state for a semi-abstract reduction sequence requires a set 
to store delayed atoms (as in the concrete case). The next stage is to define a 
reordering procedure for the semi-abstract reduction sequences. This allows us 
to obtain the “full” abstract reduction sequences. 

Note that for ciciauselci], Ogoailb], . . . we omit the subscript to instead write 
a(ci), a{b), . . . 

Definition 17 (labelled reductions). Reductions are labelled s^p’^s' as fol- 
lows: 

— ifs= {l-.-.G,9,D),lisx = t and s' = {D' :: G, 9',D\D') then s' 

— if s = (^ :: G, 9, D) and I is an atom such that reduce{l, 9) holds and 
s' = (6 :: G,9',D) then s^p s'; 

— if s = {I :: G,9,D) and I is an atom such that reduce{l,9) fails then 

Definition 18 (derived selection rule for a sequence of reductions). 

Given a sequence of reductions si^p...^pSn, the derived selection rule is 
< 7 i, . . . where for each 1 < f < n — 1, Si^p'^*Si+i. 
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Definition 19 (semi-abstract reduction sequences). 

Suppose si— >p . . . — is a sequence of reductions with the derived selection 
rule (?i, . . . q-a-i- Then the semi-abstract sequence of reductions s(=>p# . . . =^p#sjj 
is defined such that = {a{Gi),true, e), and for each 1 < z < n — 1, letting 
Si = (a(Gi),(^f,a(A)) then 
Sj+i = (a(Gj+i),^f_,_i,a(A+i)) where: 

— if qi = (r{l),D), a{Gi) = a{l) :: a{Gi) and a{l) G -PoSvar(s) then a(Gi+i) = 

a(D) :: a(G'), a(0> and o;(A+i) = a(A) \ a(D); 

— if gi = (r(/), b), a{Gi) = a{l) :: o:(G'), a{l) is p{x) and 

P{y) ^ ^ then a{G^+i) = a(b) :: a(G'i), 

4>i+i = A A {4>l 4>i) and a(A+i) = a{Di) where 

= avar(p(a=)=p(o='))("igM({p(a:) = p{x')})), (j>l = \J reducet{p{^'),4>i) 4>K 

= “!ar(a:'=y)(’a‘gu({a:' = v})) , and also var(si), var(a;') and var(p(y) ^ b) 
are all distinct from each other. 

— if = {d{l), e), a{Gi) = a{l) :: a(G') and a{l) isp{x) then a{Gi+\) = o;(G'), 
4>\+i = 4>\ and a(A+i) = a(A) U {a(Z)}- 

Lemma 1. Let si^p . . . — >ps„ be a sequence of concrete reductions such that 
Si = {Gi,9i,Di) for each 1 < z < n. Then in the sequence of semi-abstract 
reductions s[^p . . .^ps'^ we have s' = {a{Gi),(j)l,a{Di)) and also for every 
I < i < n 

assf5zZvar(si)(^i) 1= \ var(si). 

Proof. The proof is by induction on z. 

For the base case we have z = 1 and si = (Gi,e, e), s( = {a{Gi),ti"ue,e). 
But asszgn^jjr(si)(^) 1= trite and so the result holds. 

Next consider the induction step. First suppose that Gi = h :: G[ where k is 
an equation x = t. Here we have st = {x = t :: G', 9i, Di)^p{D :: G', 0', Di \ D) 
where 9' G mgu({x = t} U eqn(0i)). Using |^e induction hypothesis there is a 
state 

s' = {a{x = t :: Gf),(j)\,a{Di)) with assign^^^^^.s^{9i) |= cj)l \ var(si). Now 
s'i=>pt{a{D :: Gt),^f A a{li),a{Di) \ a{D)), and also we have 

a{k) = Q!var(x=t)(nigu({x = t})). But 

mgu({x = t}) C7^ar(x=t)(avar(x=t)(mgu({x = t}))) 

and so for ip G mgu({x = t}) we get ^ o;var(x=t)(nigu({x = 

t})). Now var(si) = var(si+i), and so it follows that for 9' G mgu({x = t} U 
eqn(6»i)) we get asszgrz^ar(si+i)(^') h avar(x=t)(mgu({x = t})) ( var(si), as 

required. (This last step corresponds to the safety of abstract unification for the 
Pos domain. See, e.g. [7] for details). 

Next suppose that is an atomp(a;) and^z suspends, i.e. Sj = {li::G'i, 9i,Di)^p^ 
Sj+i = (G', By the induction hypothesis, s' = {a{li :: Gi),4>\,a{Di)) 

with assign^^^^^^.){9i) |= (j)\ \ var(si). But s'i^pi{a{Gi),4>\,a{Di) U {a{k)}), and 
since var(si) = var(si+i) the result follows. 
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Finally, suppose that U is an atom p{x) and reduces, i.e. Si = {U :: G', 9i, Di) 
{b :: GpO' , Di) where O' G mgu({h = 1} U eqn(0i)), h = p{y) and 
p{y) ^ b PK Now s'^pit(a(6 :: G'),<^f A A (</># ^ </>|),a(A)), where 
= avar(p(a=)=p(o='))(wffw({p(®) = P(®')})) &nd ^ = Vred«ce#(p(a='),0») ^ud 
= “Lr(a;'=y)(™g’^({=®' = y}))> ^^so var(a:'), var(Sj) and var(p(y) ^ b) 
are all distinct variables. We have as sign |= 4>\ by the induction hy- 

pothesis. Can show that mgu({h = 1}) C 7var(si)((y’** A ^|) f var(si)) and 
hence assz5n^ar(si)(V') 1= ('F* A (j)\) \ var(si) for ip G mgu({h = 1}). Hence 
from the induction hypothesis, assign^^j.^^.-j{9') ^ (0? A A </>|) f var(si) since 

9' G mgu({h = 1}) U eqn(0i)). Noting that a ^ 6 = V 6, it follows that 

aSS*ff«var(si)(^'') H {4>\ A p^ A ^ (/)|)) f var(si) as required. 



Definition 20 (reawoken goals). Suppose si ^ p # . . .->-ptSn is a sequence of 
semi-abstract reductions with selection rule qi, ■ ■ ■ ,qn-i- An atom a is reawoken 
if there exists 1 < i < j < n such that qi = (d(a), e) and qj = (r(a). A) for some 
A. 

Lemma 2. Let s = (G :: G',(j)^,D) be an abstract state. Then there is a se- 
quence of abstract reductions such that s — ^pu . . . — >pis' = (G', (j)^ , D) for some 
(f>^ . 

Proof. Follows easily since every abstract atom p{x) has a rule p{x) ^ 0^ defin- 
ing it. 



Definition 21 (procedure for reordering reductions). 

Let si=^p# . . . =4>p#s„ be a sequence of semi-abstract reductions labelled by 
qi, . . . ,q„-i, and suppose there are m reawoken goals. The procedure R{m) is 
defined inductively according to the number of reawoken goals m as follows: 

— If there are no reawoken goals then the sequence remains the same. 

— If there are m + 1 reawoken goals then suppose the procedure R{m) for m 
reawoken goals is already defined. Let sj = (/ :: G,(p^,D) be the state such 
that qj = (r{l), A) where I is the last reawoken goal in si=^p# . . . =^p#s„, and 
suppose 3jo < n such that Sj=^p# . . . =^p#Sjo = (G, (jA , D'). Let qf, . . . , <7™ 
be the selection rule obtained by applying R{m) to Sj=^p# ...=^p#s), where 
the selection rule giving this sequence is the same as qi, . . . ,qn-i except 
that it does not reawake 1. Letting qJA = (d{l),e), replace the selection rule 
q'^, ... , q)D) with the new selection rule 

1’ • ’ • 1 — ^fc+1’ • ■ • ’ ^no’ 1 Hn—1- 

— For the case above suppose there is no jo < n such that Sj=^p# . . . ^p»Sj„ = 
(G, 0® ,D'). As above, let q'ff , . . . , qff^ be the selection rule obtained by ap- 
plying P(jn) to s(=^p# . . . =^p#sf . Let s„^p# . . . ^p#Sji+i be a sequence of 
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reductions (obtained using the atot clauses) such that s^y+i = (G, (/>* ,D'), 
and also let Qn, ■■■ , be the derived selection rule for this sequence. Letting 
qjf = (d(/),e), replace the selection rule qf^,...,qff^ with the new selection 
rule 

di j ■ • ■ ) yfc-i) dj! ■ ■ ■ jdnj dk+i> • ■ • ) dno ■ 

Proposition 3. The process above terminates with the new selection rule con- 
taining no reawoken goals. 

Definition 22. Let si^p . . . — be a sequence of concrete reductions with 
Sn = {In ■■ Gn,0n, Dn). Also suppose there is a state Si = {k :: Gi,9i,Di) such 
that Si^p{b :: G)9\D') and In S b. Then for any literal I, I is a, parent atom 
of In if either I = li or I is a parent atom of li. 

Definition 23. Let si— >p . . . ^pSn be a sequence of concrete reductions with 
Sn = {In ■■ Gn, 9n, Dn). Then s„ is in a reawoken part of si^p . . . -^pSn iff In has 
a parent atom which is reawoken. Otherwise we say that s„ is in a non-reawoken 
part of si— >p . . . ^pSn- 

Lemma 3. Suppose is a monotonic formula. Then assign y (9) \= <p^ ^ 9 G 
lv{(p^)- 

Proof. In 1(7] it is shown that assign y {9) \= (jf^ ^ assign y {9') |= for all 9' <9 
when (j)^ is monotonic. Hence result follows from the definition of 7 y(^^). 

Lemma 4. Let si~>p . . . ^pSn be a sequence of concrete reductions with m 
reawoken goals, and suppose that Si = {U Gi,9i,Di) is a state in a non- 
reawoken part. Then there is a state s'^ = {a{k) :: G[, 4>\^, D{^) in the sequence 
of semi-abstract reductions s'l^p# . . . =>p#sjj^ given by R{m), \= 

reZaa;var(ii)(0!o)- 

Proof. By lemma Qthere is a semi-abstract sequence of reductions with the same 
selection rule as the concrete sequence of reductions and also with assign^^^.^^^^-^ (9i) 
^ (pi \ var(si) for each i. By induction on the number of reawoken goals m, we 
show that assign^^^(^^^^{9i) |= \ var(si) in the semi-abstract sequence given by 

R{m). Since \ var(si) |= relax ^^^(\p^{(p\^), the result then follows. 

If the are no reawoken goals then the semi-abstract sequence remains un- 
changed and so the result holds. 

Suppose there are m+1 reawoken goals. Let Sj = {I :: G,cp‘^,D) be the state 
such that qj = {r{l), A) where I is the last reawoken goal in si=7pj . . . =>pj s„, and 
suppose 3jo < n such that Sj^pt . . . =^p#Sjo = (G, p^\D'). Let g™, . . . , g™ be 
the selection rule obtained by applying R{m) to Si=J>p# . . . =^p#s' . Letting = 
(d(0, e), the new selection rule is . . . , C-i> ■ ■ ■ , 9jo-i) > Co > djo > 

. . . ,qn-i. Let Si be a concrete state in a non-reawoken part. First suppose i < 
j. By the induction hypothesis there is a corresponding state = {a{k) :: 
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G', in the semi-abstract sequence of reductions s™=^p# . . . =^p#s™ given 

by R{m) with assign^^j.(^^^^{9i) |= Consider the selection rule given by R{m + 

1). For every 1 < i' < fc, we have 5™“''^ = s™. Hence the result holds for this 
case by the induction hypothesis. Let I = p{x). We have 

sT+^ = {a{l) ::G',4,G')^p«...^p« 

= (G', 4 A A (4 ^ A 4, D") 
for some 4^ where 4 = a^a.r{p(^)=p{^'))i.'rngu{{p{x) =p(a;')})) and 
4 = \j reduceHp(^'),4>^) 4 and 4 = a“^^(^,^^)(mgu({a;' = y})), and also var(®'), 
var(s^ and var(p(y) ^ b) are all distinct variables. It follows that for all k < 
i' < i we have 

= ih' ■■■■ Gp, 4 A 4 A (4 - 4) A 4. A') 

where s™ = {k' :: Gi',4:D[') some G', . Now for every concrete state Si in 
a non-reawoken part, reduce{li, 9i) fails. Hence it is sufficient to show that 

ass*5?*var(so(^i) 4 ^ A A (4 ^ 4) A 4 

whenever reduce{li,9i) fails. 

Let 4 = y reduceHvi^), 4,^)4 . and suppose that assign^^^^^d^) h 4- Then 
assign^^j.fj^^{9i) |= 4 also. Since pi is monotonic, we get 9i G 7var(ii)(<A**)- But 
reduceyii, pI) holds and so we must have reduce{li,9i) holds. This is a contra- 
diction, and so we cannot have assign^^^^^^di) H 4- Since var((/?J!) C var(sj) 
it follows that assign (^^4^ i) H ^4r- Hence we also get as sign \= 

44r^4) \ var(si). Therefore we have as sign i) H {4^^4r^4) \ var(si). 
Now since var(4) are distinct from both var(si) and va.r{p^), it also follows that □ 
as sign i) 1= {4 /^^4r ^4 ^4b) \ var(si). Hence no tFril that a — > 6 = ^oV6, 

we obtain as sign (^4^ i) 1= {4 A (4 ^ 4s) A A 4) \ var(si) as required. 

Next suppose that i > j. Since Si is in a non-reawoken part we must have 
i > jo - Consider the corresponding state s^^ for Si in the sequence of reductions 
given by R{m + 1), i.e. the state with = '?(*)■ The goals reduced in the 

sequence s™“''^=>p# . . . =^p#s™''"^ will be the same as those reduced in the semi- 
abstract sequence of reductions with the selection rule (?i, . . . ,qn-i- Hence this 
corresponding state will be the same as the corresponding state in the semi- 
abstract sequence of reductions with the same selection rule as the concrete 
sequence of reductions. Hence the result follows from lemma 1. 

For the third case (of definition 21), the proof follows similarly to the above. 

Lemma 5. Let si^p . . . ^ps„ be a sequence of concrete reductions such that 
Sn = {I G,9,D) with Sn in a non-reawoken part. Then there is a sequence 
of abstract reductions s'^^p# . . . such that s',^ = (a{l) :: G',4) s.nd 

ass*5”var(i)(^') h relax^^r(i){4)- 

Proof. Suppose V G D. Hence for all 1 < i < n, reduce{l\ 9i) fails where Si = 
{Gi,9i, Df). Let Sj be the state such that qj = {d{l'),e). In the semi-abstract 
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sequence of reductions obtained using lemma 0 replace qj with g' , g" where 
g' = {r{l'),(j)l) (where I' ^ (j)l <Cs P^), and g" = {r{(j)l),e). We can now show 
that assign^g^^(j^{9) |= reZaa;var(i) (<('** ) with the new semi-abstract sequence of 
reductions using a similar argument to that found in the proof of lemma 0 
Repeating this process, we end up with a semi-abstract sequence of reductions 
without any atoms being delayed. This is equivalent to having a sequence of 
“full” abstract reductions. 



Lemma 6. Let si^p . . . ->-pSn be a sequence of concrete reductions such that 
Sn = {I ■■ G,9,D) where is in a reawoken part. Then there is a sequence of 
semi-abstract reductions s'^— >p# . . .— >p#s(„ such that s'^ = {a{l) :: G", (/>•*) and 
assz5rivar(i)(^) h ’’eZaXvar(i) (</>•*)• 

The proof (omitted here) essentially involves defining a procedure giving a 
reordering of the concrete sequence of reductions similar to that given by the pro- 
cedure R{m) for the semi-abstract reduction sequences. This allows us to obtain a 
new concrete substitution 9' such that 9 is an instance of 9' and assign^^j. (i)(0') h 
(j)K Given this, it then follows that assign^g^^(j^{9) ^ relaxva.r(i){4’'^) as required. 

Theorem 2 (Safety). If P^ = a IP]], and = OgoailG] then 

call(PG) < 7(reZaa;(call(P**Gii))) 

Proof. If {1,9 \ var(l)) G 7(reZaa;(call(Pl*Gii))) then exists \ var(l)) G 

call(Pl*Git) such that 9 G 7var(i)(’’e^«2^var(i)(?^**))- Since reZoXvar(i) (</***) is monotonic 
this is equivalent to having assign^,^^fj^{9) |= reZaa:var(i) (?^**)- Hence the result 
follows from lemmas 0 and 
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Abstract. The aim of this work is to describe a procedure for the par- 
tial evaluation of functional logic programs in rewriting-based languages 
using constraint-based information propagation. The constraint-based 
partial evaluation algorithm incorporated with local and global control 
describes a KMP partial evaluator. Results from the implementation of 
the partial evaluator in the functional logic language Escher show that 
the algorithm is also able to perform intermediate list elimination. Re- 
naming operations and termination and correctness properties are pre- 
sented. Finally, extensions of the constraint-based procedure which may 
lead to greater specialisation are discussed. 



1 Introduction 

Partial evaluation is a program transformation technique which optimises pro- 
grams by performing some of the computation at compile-time. A partial eval- 
uator, given a program and some of the input to that program, will generate a 
residual program, which is the original program specialised with respect to that 
partial input. Given the rest of the input data, the residual program computes 
the same answers as the original program run with the entire set of input data. 

The algorithm described in this work transforms rewriting-based functional 
logic programs by partial evaluation. An example of a such a language is the 
Escher language Generally, in these functional logic languages, terms 

are rewritten by matching a term to an instance of a statement in the program. 
In Escher, the concept of substitution is not defined. This differs from narrowing- 
based functional logic languages, in which unification propagates answers to a 
term, computing answer substitutions for variables in the term. 

This partial evaluation procedure uses constraint-based information propa- 
gation to improve the specialisation of the transformation. There are several 
different methods for propagating information during program specialisation. 
Tabled from |G^ : shows the effect of transforming a conditional statement 
in each case. 

Traditional partial evaluation of functional programs uses constant 

propagation; this was shown to be less powerful than partial evaluation in 
logic programming (called partial deduction |T.SP1 j ) which is a unification- 
based program transformer pSG.TOdj Positive supercompilation has adopted the 



Norbert E. Fuchs (Ed.): LOPSTR’97, LNCS 1463, pp. 168-^SSI 1998. 
(c) Springer- Verlag Berlin Heidelberg 1998 



Constraint-Based Partial Evaluation 



169 





T| if u = V then t else s] = 


information propagation 


(a) 

(b) 

(c) 


if ti = w then T[t] else T[s] 

if ri = w then := w}] else T|s] 

if ri = w then Tlt{u = v}] else T[s{ri ^ ii}] 


constant propagation 

unification-based 

constraint-based 



Table 1. The types of information propagation, from Gliick and Sprensen, 
LNCS 1110. 



unification-based information propagation procedure for the partial evaluation 
of functional programs [CSG,I9KI IGb9Kj . The technique resembles that of partial 
deduction a partial process tree is generated using driving and generali- 

sation from which a program is extracted. In addition, the partial evaluation of 
narrowing-based functional logic programs also uses unification-based propaga- 
tion I IAFV96I irF\TW7| . 

Both positive supercompilation and partial deduction pass the KMP test, 
which checks that the residual program generated from a naive pattern matcher 
has the efficiency of a Knuth-Morris-Pratt pattern matcher. However, the pattern 
matching programs generated using unification-based partial evaluation usually 
contain one or more unnecessary tests in the residual program; this is due to 
the lack of negative information in the transformation. Program transformation 
techniques that do propagate negative information during program specialisation 
include Turchin’s perfect supercompilation [TTRTTf;] and Futamura’s generalized 
partial computation Furthermore, the partial deduction procedure of 

[ t^S95l U^!S97J uses negative (binding) constraints, a subset of CLP (iFT), in order 
to improve precision of the specialisation. 

Constraint solving involves a group of well-established algorithms for deter- 
mining whether a set of constraints is satisfiable. Constraint solvers have been 
developed for various constraint domains, including linear, non-linear. Boolean, 
and Herbrand domains. We use the generality of constraint solving to propa- 
gate information from tests in conditional statements; this is not only limited to 
equality /disequality tests, but tests that can be represented as constraints in the 
domain(s) employed in the partial evaluator. Therefore, the partial evaluation 
procedure may be more precise, approaching levels of specialisation obtained by 
generalized partial computation without a general automated theorem prover. 

In this work, an algorithm for the partial evaluation of Escher programs will 
be presented which incorporates constraint-based information propagation. Lo- 
cal control is achieved by imposing an ordering on terms in Escher computations 
and the global control is an extension of recent work in generalisation of partial 
deduction and positive supercompilation Enssicsss- We will show that the 
implemented partial evaluator passes the KMP test and removes all unneces- 
sary tests. We present the correctness results for the procedure, and compare 
the technique to other program transformation techniques. Finally, we discuss 
possible extensions to the procedure. 
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2 The Language 

The syntax of the rewriting-based functional logic language used in this pa- 
per will be that described in CM- This choice of syntax should not restrict 
this algorithm to the partial evaluation of Escher programs. Any (higher-order) 
functional logic language using a similar computational model will be able to be 
transformed using this procedure. 

The function ITE(c, t, e) will be used in this paper as shorthand notation 
for the conditional statement IF c THEN t ELSE e. The quantifiers in the syn- 
tax are of the form Q[x_l, . . .x_n] T, where Q is either SOME. ALL, or LAMBDA, 
and the list of variables [x_l, . . .x_n] are bound in T. A program is a set of 
rewrite rules, in the form of statements H ^ B, where the term H is the head of 
the statement, and the term B is the body. Given a set of equations, A, rhs{A) 
is the set of terms in the bodies of the equations: rhs{A) = {Rj\ Lj ^ Rj G A}. 
The free variables of a term T is TV{T). The definition Defp of a /c-ary function 
G in a program P is the set of statements in P with head G{ti, . . . ,tk)- For a 
program P, a term T is a standard term if T = ^( 51 , . . . , s„) and F is an n-ary 
user-defined function, i.e. 3 Defp. Let Sp{T) be the set containing all the stan- 
dard subterms of T (may contain T if it is a standard term) wrt to the program 
P. We will use e in this paper to denote the empty term. 

RewritiM of a term T is performed by matching the head of an instance of 
a statementlJ with a redex of T. Formally, a term S is obtained from a term Tj 
by a eomputation step if the following are satisfied: 

1. The set of redexes of Tj, Lj = {i?a}, is a non-empty set. 

2. For each a, the redex Ra G Lj is identical to the head Ha of some instance 
Ha => Ba of a statement schema (rule). 

3. S' is the term obtained from Tj by replacing, for each a, the redex Ra by 
Ba- 

The partial evaluation algorithm described in this paper does not place restric- 
tions on the reduction strategy. We will refrain from specifying a reduction strat- 
egy- 

A computation is a sequence of terms {Ti}f^-^ such that is obtained by 
a computation step from R and T„ contains no rewritable subterms. A partial 
computation does not require the term Tn to be in normal form. We define a 
shorthand notation for describing the result of a partial computation. 

Definition 1. Let T\ represent the equation resulting from the 

partial computation {Ti\f^i. 

3 The Algorithm 

We have designed a constraint-based algorithm for the partial evaluation of func- 
tional logic languages based on rewriting. The algorithm combines computations 

^ Actually, the statements of an Escher program are statement schemas, meta- 
expressions which represent a collection of the instances of that statement. 
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together with a “restart step” , which either performs unification or splits a term 
when the term is not instantiated enough for the computation to continue. We 
start by giving some preliminary definitions. 

The following function, specialise{(T,C), P), returns a specialised definition 
for a term T with constraints C wrt a program P. 

Definition 2. specialise((T, C), P).' Let T be an arbitrary term, C be a set of 
eonstraints, and P be a program. Let select{T, P) = S be a subterm in T. Let F 
be the outermost funetion ofS. Then, specialise((T, C), P) is the set of adorned 
equations: 

specialise{{T,C),P) = {{T6i Tj,C0i,S6i) | Li => Pi G Defp & 

0i = \S, Li] 7 ^ fail & C9i is satisfiable & T9i Tj} 

If select(T, P) is undefined, specialise{{T,C), P) = 0. 

The expression [a, 6] denotes the idempotent most general unifier of a and 
b if it exists; otherwise, it equals fail. The function proj(T,C) is a projection of 
the constraints C onto free variables of the term T. 

In the above definition, the function select{T,P) is used to find a standard 
subterm to restart the partial evaluation; the definition of this function depends 
on the reduction strategy of the language being specialised. Without choosing a 
particular reduction strategy, we can define a property that must be satisfied by 
the seleet function. 

Definition 3. Select Property 

Given a program P, term T , let U be the set of standard subterms of T which 
unify with at least one head of a statement in the program. Then, S = select{T, P) 
G U, the subterm of T selected for restarting the computation, contains the first 
demanded argument ofT. 

An argument of a function P is demanded if there is a non-variable term 
in that argument position in the head of at least one of the statements in the 
definition of P in a program P For example, for a simple leftmost 

outermost reduction strategy, the select function may be defined as follows. Given 
a term T and a program P, select(T,P) = P(ti, . . . , is the leftmost outermost 
standard subterm of T such that there is at least one Li in Defp such that 
\S,Li] ^ fail. 

Example 1. Consider the following definition of Inv, included in program P: 

Inv(True) => False. 

Inv(False) => True. 

In order to generate a specialised definition for the term Inv ( Inv (x)) with re- 
spect to the above definition, specfa&e((lnv(Inv(x) ) , 0), P) is called. Assuming 
a leftmost outermost reduction rule, the selected subterm of the term is Inv(x) 
(the innermost occurrence of Inv). Then, speczafoe((lnv(Inv(x) ) , 0), P) is the 
set of adorned equations: 

{(invdnv(True) ) ^ True, 0, Inv(True)), 

(invdnv(False) ) => False, 0, Inv(False))} 
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We combine the notation of IGJMS951 and II1V1G95I to define m-trees, a data 
structure for recording computation paths during partial evaluation. 

Definition 4. An m-tree is a labelled tree where nodes can either be marked 
or unmarked. A node N is labelled with a tuple of terms (T^, Cn, Sn), where 
T]\f is the term of the computation, Cn is the set of constraints, and Sn is the 
term used to restart the computation. For a branch (3 of the tree, JVp is the set 
of labels of jS and for a leaf L of a tree, (3 l is the unique branch containing L. 

The extend function adds leaves to the m-tree as they are generated during 
the partial evaluation. An example of adding leaves to an m-tree via extend can 
be found in Example 0 below. 

Definition 5. extend{fi, P) Let fj, be an m-tree and P a program. 
extend{p, P) = for all unmarked leaf nodes L G p. : 
mark L in p; 

A = specialise {{Tl, Cl),P)', 

*/ A 7^ 0, 

for all {T,C,S) G A(add leaf L' to branch (3^ with label {rhs{T),C, S)); 
otherwise, «/ A = 0, 

A' = covered(TL, Cl); 

for all B G A' (add leaf L' to branch (3 l with label B); 

That is, if a specialised definition is created for the term, then the different 
reductions of the term are added to the tree as leaves. In the case where no spe- 
cialised definition is generated (i.e. there is no available selectable subterm), all 
standard subterms must be extracted from the term, and a specialised definition 
must be generated for each. Splitting the term ensures that all of the standard 
subterms that might be nested in the term are eventually covered in the residual 
program. We add a minor optimisation to this rule for conditional statements; 
in the case that the condition is a constraint of one of the domains of the partial 
evaluator, the satisfiability of the current set of constraints, with the new con- 
dition added, is tested. If it is found to be unsatisfiable, we can safely omit the 
appropriate branch of the conditional statement from the m-tree. Formally, this 
step is described in the first part of the definition of covered. 

Definition 6. covered(T, C).' Let T be a term, and C a set of constraints. 

if T = IF_THEN_ELSE(c, t, e), and c is a constraint in one of the domains, 
then covered(T, C) = 

{{t, prof ft, C U c), e)}, if C U is unsatisfiable, or 
{{e,proj{e,C U ^c),e)}, if C U c is unsatisfiable, or 
{(t, proj ft, C U c)), (e, proj (e, C U -ic), e)}, otherwise; 
else, for T = Fft\, . . . , tm), covered(T, C) = split(T, C). 
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Definition 7. split(T, C): Let T = F{ti, . . . , tm) be a term, and C a set of eon- 
straints. Then, split(T, C) = {(F(yi, . . . , y^), True, e), {ti,proj(ti,C),e), . . . , 
{tm,proj{tm,C),e)} where yi, ... ,ym do not oeeur inT. 

As an example of the use of the split function, in the following example, 
no selectable subterm can be found, and splitting the term is necessary for the 
program specialisation to continue. This case typically arises when system (built- 
in) functions are in the term. 

Example 2. Suppose we are specialising the following program wrt Inv(x & y): 

Inv(True) => False. 

Inv(False) => True. 

According to the definition of select, there are no selectable subterms in 
Inv (x & y ) , as the term does not unify with either of the heads of the statements 
in the definition of Inv. However, the definition of Inv must be included in the 
residual program. The solution lies in splitting the term. After adding the terms 
Inv(w) and x & y to the m-tree, on the next iteration of the algorithm, specialise 
will return the definition of Inv. 

The “double append” example (where “append” is called Concat here) is 
popular in the presentation of partial evaluation procedures; it is not only a 
simple example that will help the discussion of our techniques, it also shows 
the degree of specialisation available from the program transformation. The re- 
peated use of Concat results in an intermediate list being constructed. In some 
cases, transformation eliminates this intermediate list; deforestation, conjunctive 
partial deduction, and the partial evaluation of narrowing-based functional logic 
programs all perform this optimisation. 

Example 3. Given the following program P: 

Concat ( [] , y) => Y- 

Concat ([h I t] , y) => [h I Concat (t, y)] . 

Consider the specialisation of P wrt Concat (Concat (x, y),z). Assume the 
initial m-tree is a tree with one node, the root node: 

(Concat (Concat (x, y) , z),True, e). 

specia&e( (Concat (Concat (x, y) , z). True), P) is the non-empty set contain- 
ing the following elements: 

(Concat (Concat ([] , y) , z) => Concat(y, z) , True, Concat ([] , y)), and 
(Concat (Concat ( [h I t] , y) , z) => [h I Concat (Concat (t , y) , z),True, 
Concat([h I t] , y)). 

The labels corresponding to these terms are added as children to the m-tree 
(Figure □]). 

Finally, we present the constraint-based partial evaluation algorithm. 
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Restarted 

" (Concat(Concat(x,y), z), True, Empty) 



Concat([ ], y) / ^\Concat{[h 1 1], y) 

Computation / Selected Term 

(Concat(y, z), True, Concat([], y)) ([h I Concat(Concat(t, y), z)], True, Concat([h 1 1], y)) 
Fig. 1. The m-tree during partial evaluation of double append. 



Definition 8. Algorithm Input: a program P and an arbitrary term T. 

Output: a program P' which is the partial evaluation o/P wrt T, and an m-tree 
of terms p,. 

Initialisation: 

Pq := PU {Ans{x\ . . . Xn) => T}, where FV(T) = (a:i . . . a;„); 

fiQ := the tree containing one node labelled (Ans{xi, . . . ,Xn),True,e); 

i := 0; 

repeat 

/ii+i = a{extend{fj.i,Po)); 
i = i-\- 1; 

until pLi = 
return p,i 

P' := TZaifJ-i)- 

The a operator generalises the m-tree; this operator is described in the next 
section. The TZ^ function extracts the program from the m-tree; cr is a renaming 
function for the m-tree. We discuss extraction and renaming in Section 0 

4 Local and Global Control 

Local Control: Termination of 

The operator as it is defined is not guaranteed to terminate. However, with 
the addition of an ordering on terms, we can define to ensure finite com- 
putations. Ordering the terms of a computation has been used for local control 
before, for example, in conjunctive partial deduction IL1JMS9(JI . The strict home- 
omorphic embedding relation, <, is a well-quasi ordering [ Leu97l . For two terms 
S'! and S 2 , Si ^ S 2 indicates that S 2 is a strict instance of Si. 

Definition 9. strict homeomorphic embedding 

— For variables x,y, x < y. 

— For terms S, F{ti , . . . , tn), S < F(ti , . . . , tn) if S <U for some i. 

— For terms F{si, s„), F(<i, . . . , t„), F{si , . . . , s„) < F{ti, . . . ,tn) ifsi< U 

for all i and F{ti , . . . , 7 ^ F(si , . . . , s„). 
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Definition 10. Given a partial computation the set of selectable re- 

dexes, L^, is defined inductively as follows. 

— For m = 1, Lf = Li, the set of redexes of T\. 

— For m > 1, if 3R G Lm, 3R' G Lj such that R' < R for some 1 < j < m, 
then = 0; else, L® = Lm- 

There are several other methods that can be used for ensuring termination 
of these computations. In fact, this definition just describes the basic idea of this 
technique; in some cases, such as if Tj is a tuple of terms, partitioning of the set R 
based on the position of the redex is necessary to increase precision. A selectable 
computation step incorporates the selectable redexes into the computation. 

Definition 11. A term S is obtained from a term Tj by a selectable computa- 
tion step if the following are satisfied: 

1. The set of selectable redexes ofTj, is a non-empty set. 

2. For each a, the selectable redex R^ G Lj is identical to the head FL^ of some 
instance Ha ^ Ba of a statement schema. 

3. S is the term obtained from Tj by replacing, for each a, the selectable redex 
Ra by Ba. 

We can now redefine our operator. A selectable computation is a 

sequence of terms obtained using the selectable computation steps where Lf = 0. 

Definition 12. Given a selectable computation T\ Tn. 

Proposition 1. For every termT, the selectable computation ofT will be finite. 

By Kruskal’s Theorem, this is a finite sequence. Therefore, the computation 
sequences will be finite. 

The local precision of the algorithm may benefit from the use of a refined 
well-quasi ordering. A version of the homeomorphic embedding relation which 
imposes a well-quasi ordering on functors is described in jl ;eiit)7] . 



Global Control: The Abstraction Operator, a 

In order to guarantee the specialised definitions cover possible future calls to 
the functions, yet ensuring termination of the partial evaluation procedure, the 
abstraction operator a of the m-tree of the algorithm occasionally must gener- 
alise the bodies of the specialised definitions. The abstraction operator removes 
a leaf L with label (T^, Cl, Sl) from a tree p, if there exists a label (T, C, S) in 
T <Tl and Cl entails C. The basis for this method has been previously 
described in The most specific generalisation [T, guaran- 

tees termination of this generalisation step, since there exists the well-founded 
ordering > such that T,Tl > [T, T^J. 

The definitions of generalisation and msg are included for completeness here; 
the original definitions can be found in [snnsiEsnEi. 
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Definition 13 . A generalisation ofT\ and T2 is a triple {T, 61,62) where 61,62 
are substitutions and T6\ = T\ and T62 = T2- A most specific generalisation 
(msg) ofTi and T2 is a generalisation (T, 6\, 62) ofTi and T2 such that for every 
generalisation {T',6'1,62) of T\ and T2, T is an instance ofT'. 

Now, we can define the a abstraction operator. It has two main functions: 
folding and generalisation. We use folding and generalisation nodes in 

the m-tree to indicate where the operations occurred. These nodes are repre- 
sented using the functions Fold and Gen for folding and generalisation nodes 
respectively. It is assumed that these functions are not defined in any program. 

Folding occurs when the leaf of a branch is an instance of an ancestor in that 
branch. The specialised definition generated at the ancestor node is not repeated 
in the new leaf. We designate this by a dotted line to the earlier node, although, 
as in by ignoring these dotted lines, we can still consider the m-tree 

to be an acyclic graph. The leaf node is replaced with a fold node (using the 
Fold function) and the terms in the substitution become the new leaves of this 
branch. 

Generalisation occurs when the embedding relation is satisfied; this indicates 
that the term is growing and there is danger of an infinite branch being con- 
structed. Therefore, we impose several conditions that have to be satisfied before 
generalisation can occur. If all of these conditions are satisfied, an infinite branch 
of the m-tree is almost guaranteed if partial evaluation is allowed to proceed. 
Firstly, the selected subterm which was used to restart the computation must 
embed a selected subterm of an ancestor. Using this check reduces the occur- 
rences of generalising when there is no danger of a growing term. Then, we test 
if the term of the ancestor node is embedded in the term of the leaf node. We 
can safely generalise in this case. In the definition below, the operator W is a 
widening operator; given two tuples (Ti, Ci), (T2, C2) where T is a term and C is 
a set of constraints, the operator W computes a widening of Ci and C2 EHIZl- 

Definition 14 . a{p): For a m-tree p containing branch (3 with added leaf L with 
label (Tl,Cl,Sl), a{p) is: 

— if there exists {T^i ,C l' , Sl') G Afp on node L'{^ L) such that Tl>6 = Tr, 
6 = {xi = ti, . . . , Xm = tm} o,nd Cl entails Cl' , then fold the tree as follows. 
Replace the label of L with Fold{x\, . . . ,Xm), draw a dashed line to L' , and 
add leaves with labels {t\,proj{ti. Cl), £)> • ■ • , {tm,pf'oj{tm, Cl), e) to branch 

/ 3 . 

— if there exists {Tl' ,Cl' , Sl') G Afp on node L) such that Sl' ^ Sl and 
Tl' < Tl, then let [Tl,Tl'\ = {T, 61,62) where 62 = {xi = ti, . . . ,Xm = tm] 
and generalise the tree in the following manner: 

if T is not a variable, then: 

* delete the branch (3 from after L' to L; 

* replace the label of L' with Gen{x\, . . . ,Xm); 

* Lb = genLeaves(T, W{{Tl', Cl'), {Tl, Cl)), 62); 

* for all G G Lb(add a leaf to branch ( 3 l' with label G); 
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else, if T is a variable: 

* replace the label of L with Gen{y\, . . . ,yn); 

* Lb = split(Ti,C'L); 

* for all G € Lb( add a leaf to branch fdr with label G); 
— fi otherwise. 



Definition 15. genLeaves(M, C, 0); Let M be a term, C a set of constraints, 
and 0 a substitution. Let {M' , {xi = ti, . . . , Xm = tm}) = generalise(M, 0). 

genLeaves(M, C, 0) = {{M',proj {M' , C),e), {h , proj {h,C),e), . . . , 

{tm,proj{t 

m 1 

The generalise function, defined below, handles the generalisation of quan- 
tified expressions. Because the partial evaluation algorithm depends on compu- 
tation in the functional logic language, complications can arise as a result of 
variable elimination. For example, the following is an Escher rule, eliminating 
bound variable xi in the term: 

SOME [xl,...,xn] (x & (xi = u) & y) => 

SOME [xl, . . . ,xi-l,xi+l, . . . ,xn] (x{xi/u} & y{xi/u}) 

where xi is not free in u, and u is free for xi in x and y. The following is an 
example of bound variables being replaced by free variables in the msg, and the 
problems this can cause. 

Example 4- Consider the following definition of Split. 

Split ([], X, y) => X = [] & y = [] . 

Split ([h I t] , X, y) => 

(x = [] & y = [h I t]) \/ 

(SDME[z](x = [h I z] & Split (t, z, y))). 

In the partial evaluation of Split ([1 I t] , x, y), the following terms must 
be generalised: 

S0ME[z](x = [1 I z] & Split (t, z, y)),and 
S0ME[zl](x = [1, hi I zl] & SplitCtl, zl, y) ) 

The msg of these terms is: 

SDME[ul](u2 = [u3 I u4] & Split (u5, ul, u7)) 

The variable ul remains bound in the msg. However, the bound variables z and 
zl of the growing lists in the original terms are now generalised with a free 
variable u4. 

If a value for ul is computed during a later Escher computation, all occur- 
rences of variable ul will be eliminated, and the value will be lost. This will 
cause the computation of an incorrect residual program, since there is no way 
to propagate this computed value of ul to u4. 
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Therefore, the generalise function must remove all possibility of variable elim- 
ination in subsequent computations during the partial evaluation, so that no 
computed values are lost. This is accomplished by computing a generalisation 
which is more general than the msg. In this paper, we elect to rename all bound 
variables in the msg with new variables. However, depending on the functional 
logic language, more specific generalisations are possible of these terms in order 
to achieve the most variable elimination, while preserving the correctness of the 
partial evaluation. 

Definition 16. generalise(M, 9): Let M be a term and 9 a substitution. Assume 
the variables of M are renamed apart. Let generalise(M, 0) = (M',9'), where 
M' = M, 9' = 9. Then, for each subterm in M, S, such that S = Q[x]{T), 
rename Q[x] in M' with Q[y], where y is a variable not occurring in M or M' , 
and add (y = x) to 9' . 

The actions of the generalise operation are shown graphically in Figure |3 In 
both cases shown in FigureQ, the branch of the original m-tree is deleted up to 
the ancestor, the label of the ancestor is replaced with one containing the Gen 
function, and the children are added to that leaf. 




Fig. 2. Representations of the generalisation operations. 



The following proposition the termination of this global control technique. 
Similar propositions have been proved in [Soil KhllVIShHLlMGh, 'll . 

Proposition 2. For all programs P and terms T, the m-tree generated during 
the partial evaluation of P wrt T is finite. For all leaves in ot{pL), the terms in 
the leaves either do not embed any of the earlier terms in the tree or are variants 
of earlier terms. 
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5 Extraction and Renaming 

The IZa function extracts the residual program from /x. The function is based on 
a renaming operator; conditions for the renaming operator in conjunctive partial 
deduction are adapted for the renaming of terms in the m-tree [t,SdW9dlJ 

Definition 17. A renaming function for a given partial evaluation of P wrt T 
with m-tree fi is a mapping a which maps from terms in pL to terms such that 
for any term T in a node of p,: 

- TV{(j{T)) C TV{T) 

— For all T, T' in distinct nodes of p,T ^ T' , the outermost functions of a 

and are different from each other and from any other function in 

The function TZ^ extracts the program from the m-tree by looking at each 
node and all of its immediate children. For each node that is not a folding or 
generalisation node, the term is renamed using a. Examples of the behaviour of 
TZ^ in four cases are shown in Figure 0 The formal definition of TZ^ is beyond 
the scope of this paper. 

Example 5. Given the program P and term T = Concat (Concat (x, y) , z) 
from Example 0 the following m-tree (Figure EJ is constructed as a result of the 
partial evaluation of P wrt T. In the m-tree of Figure 0 the constraints have 
been omitted, since they are all True, and leaves with variable terms have been 
removed for simplicity. 

The following program is extracted from the m-tree (where the residual pro- 
gram has been post-unfolded). 

FN_SP1([], y, z) => FN_SP2(y, z) . 

FN_SPl([x_3 I y_4] , y, z) => 

[x_3 I FN_SPl(y_4, y, z)] . 

FN_SP2( [] , x_5) => x_5. 

FN_SP2([x_5 I y_6] , z_7) => 

[x_5 I FN_SP2(y_6, z_7)] . 

The intermediate list of the original program has been eliminated in the 
residual program. 




6 Specialisation of a Pattern Matcher 

We have implemented the partial evaluator for Escher in Godel, using Escher as 
the constraint solver by means of constraint handling rules irricTTi for subsets of 
finite tree and linear constraint domains. As an example of the performance of 
the partial evaluator with constraint-based information propagation, we partially 

^ In the case of system modules, the new outermost function name must not be in any 
system module. 
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F(G(x)) 

;C(X) : : H(X) 


F(G(x)) 1 ^ , 

Tx 

Fold(x) 

; '' t 

i T 


0(F(G(X)))C=> 0(C(X)). 
0 (F(G(x)))e=> 0 (H(x)). 


0 (F(G(x)))e=> 

0 (F(G(x))) {x/ 0 (T)}. 


F(G(x)) 

,.cl 

Gen(y) 

H(y) iG(x) 


: F(G(x)) 1 

.c l ^ X 

Gen(y1,y2) 

'] 

SOME[q](F(y1) &y2) 






0 (F(G(x)))i;=> 

0 (H(y)){y/ 0 (G(x))}. 


0 (F(G(x)))C=> 

0 (SOME[z]( 

(F(x)&y2){y2/0(G(z))})). 



Fig. 3. The extraction of a program from an m-tree. 



Concat(Concat(x,y), z) 



Concat([ ], y' 




Concat([w I ws], y) 



Concat(y, z) [w I Concat(Concat(ws, y), z)] 

Concat{[ I vs], z) Fold(x) - - ' ' " ^ 

z [v I Concat(vs, z)] \ 

Fold(y) - — '' 



Fig. 4. M-tree from the partial evaluation of double append. 
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evaluate the naive pattern matching program below, with the aim of generating 
a KMP-pattern matchertlfor the string of integers “112”. 

FUNCTION Match : List (a) * List (a) -> Boolean. 

MatchCp, s) => LoopCp, s, p, s) . 

FUNCTION Loop : List (a) * List (a) * List (a) * List (a) -> Boolean. 

MODE LoopC?, ?, _). 

Loop([], [] , op, os) => True. 

Loop([], [s I ss] , op, os) => True. 

Loop([p I pp] , [] , op, os) => False. 

LoopC [p I pp] , [s I ss] , op, os) => 

IF P = s 

THEN LoopCpp, ss, op, os) 

ELSE NextCop, os). 

FUNCTION Next : List (a) * List (a) -> Boolean. 

MODE Next(_, ?) . 

NextCop, [] ) => False. 

NextCop, [s I ss] ) => 

LoopCop, ss, op, ss) . 

With the constraint-based information propagation, partially evaluating the 
above program with respect to the term MatchC [1,1,2], u) generated the fol- 
lowing statements (types are omitted and post-processing unfolding is assumed) . 
The function names automatically generated by the partial evaluator have been 
replaced with descriptive identifiers. 

Matched, 1, 2], u) => 

Loop_112Cu) . 

Loop_112CD) => False. 

Loop_112 C [s_9 I ss_10] ) => 

IF s_9 = 1 

THEN Loop_12Css_10, s_9) 

ELSE Loop_112Css_10) . 

Loop_2C[], s_9, s_16) => False. 

Loop_2C[s_24 I ss_25] , s_9, s_16) => 

IF s_24 = 2 

THEN EndCss_25, s_9, s_16, s_24) 

ELSE Loop_12C [s_24 I ss_25] , s_16) . 

EndC[], s_9, s_16, s_24) => True. 

EndC[s_33 I ss_34] , s_9, s_16, s_24) => True. 

It can be shown that this is a KMP pattern matching program; the specialised 
pattern matcher never has to go “backwards” to test elements of the list previous 

® The Knuth Morris Pratt pattern matching algorithm runs in time 0{\p\ + |s|) for a 
pattern and string, p and s, respectively. 



Loop_12C[], s_9) => False. 
Loop_12 C [s_16 I ss_17] , s_9) => 
IF s_16 = 1 

THEN Loop_2Css_17, s_9, s_16) 
ELSE Loop_112Css_17) . 
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to the one currently being tested. The program transformation has removed some 
unnecessary tests; for example, in the statement Loop_12, if the test s_16 = 1 
fails, the program starts the matching with the next element of the list, since 
the constraint s_16 yf 1 is propagated. A section of the m-tree generated during 
partial evaluation is shown in Figure Q For the KMP test, the partial evaluator 
achieves specialisation similar to that obtained by perfect supercompilation and 
generalized partial computation. 



(Match{[1,1,2], u), True) 



A: (Loop([1,1,2], u, [1,1,2], u), True) 

u=ir 

U = [s I ss] 



(False, True) 



(ITE(s=1, Loop([1,2], ss, [1,1,2], [siss]), 

I Next([1 ,1 ,2], [sIss])), True) - 



(Loop([1,2], ss, [1,1,2], [siss]), s=1) 

ss = [l 

SS = [s’ I ss’] 



(False, True) 



(T,C) 


Label of m-tree (ordered pair) 


Term 


Intermediate terms of 




Escher computation 




Constraint propagation step 



(Next([1,1,2],[slss]), ~(s=1)) 

Loop ( [1,1, 2], ss, [1,1,2], ss) 

i 

Fold(u) ► (ss, True) 

A 



(ITE(s’=1, Loop([2], ss’, [1,1,2], [s,s’lss’]), 

Next([1,1,2], [s.s’lss’])), s=1) 

(Loop([2], ss’, [1,1,2], [s,s’lss’]), s=1 & s’=1) 



— (Next([1,1,2],[s,s’lss’]), s=1 & ~(s’=1)) 

, 1 

(ITE(s’=1, Loop([1,2], ss’, [1,1,2], [s’Iss’]), 

I Next([1, 1,2], [s’Iss’])), ~(s’=1)) 



(Next([1,1,2],[s’lss’]), ~(s’=1)) 

Loop ([l,l,2],ss',[l,l,2], ss') 

* 

Fold(u) r: * (ss’. True) 

' A 



Fig. 5. Section of the m-tree for the specialisation of the naive pattern matching 
program wrt MatchC [1,1,2], u). Note the use of negative information propa- 
gation at the IF-THEN-ELSE term in the dotted box; this leads to the removal 
of the unnecessary test in Loop_12, as described in Section 4. The definition of 
Loop_112 in the residual program is extracted from the node marked “A”. 



7 Elimination of Intermediate Data Structures 

Deforestation is a program transformation for optimising away intermediate data 
structures [IWadHOj . In some cases, our partial evaluation procedure also performs 
this optimisation. An example of this optimisation is the specialisation of the 
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following program, which uses an intermediate list for the computation of the 
sum of squares of a sequence of numbers. We partially evaluate the program wrt 
SumSqUpTo(n) . 

FUNCTION SumSqUpTo : Integer -> Integer. 

SumSqUpTo(n) => 

Sum(Squares(UpTo(l, n) ) ) . 

FUNCTION Sum : Integer -> Integer. 

Sum([]) => 0. 

Sum([n I ns]) => n + Sum(ns) . 

FUNCTION Sq : Integer -> Integer. 

Sq(n) => n * n. 

FUNCTION Squares : List (Integer) -> List (Integer) . 

Squares ([]) => [] . 

Squares([n I ns]) => [Sq(n) I Squares(ns)] . 

FUNCTION UpTo : Integer -> List (Integer) . 

UpTo(m, n) => 

IF m > n 
THEN [] 

ELSE [m I UpTo(m+l, n)] . 

The following program is the result of the partial evaluation. The intermedi- 
ate lists have been optimised away. 

SumSqUpTo(n) => 



ELSE FN_SP12(1, n) . 

FN_SP12(x_7, n) => 

IF (x_7 + 1) > n 
THEN (x_7 * x_7) + 0 

ELSE (x_7 * x_7) + FN_SP12((x_7 + 1), n) . 

Simple post-processing of this program can impro'vre the efficiency by intro- 
ducing local definitions in the definition of FN_SPi2 for the expressions that 
are repeated (e.g. x_7 * x_7). Similar results have been obtained for the flip 
example of [Wad90]. 

In some examples which have been successfully transformed by deforestation, 
the generalisation operator a is too restrictive to allow the elimination of the 
intermediate data structures. Growing terms are generalised before the interme- 
diate data structure can be identified. Wadler’s Deforestation transformation is 
only guaranteed to terminate for a class of functional programs called treeless 
programs. Static analysis can guarantee termination of deforestation for general 
functional programs. A related static analysis for specialisation of functional 
logic programs is presented in [CK96] . 
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8 Correctness 

In order to prove the correctness of this algorithm, we must first give an amended 
closedness condition. 

Definition 18. subsfPJ.' Let S be a finite set of terms, P a program. 
subs{S) = \J{Sp{T) I T e P} 



Definition 19. W-closed; Let W, P be finite sets of terms. Then, P is W- 
elosed if, for all terms T G subsfP), 3W G W such that W9 = T. 

For a program P = {Li ^ => i?„}, P is W-closed if the set 

of terms of P, {Li, Ri, . . . , L n,Rn}, is W-closed. The definition of translation 
function is also adapted from |T,SdW9tl] 

Definition 20. A translation function based on a renaming function a is a 
mapping po- from terms to terms such that for any term S: 

— if S is an instance of a term in pL, M, then Pa-{S) = a{M)po-{9) where 
M9=S. 

— if S is not an instance of a term in p, then Pa{S) = S. 

In the above definition, Pa(9) is the application of the translation function 
to all terms in the substitution 9. We state the correctness proposition for our 
partial evaluation procedure and note the key properties that are needed to 
establish it. 

Proposition 3. Let P be a program, T a term. Let P' be the partial evaluation 
of P wrt T with m-tree p. Let M be the terms of p. Let {T9} be Ts/L-closed. 
Let Tff , Tff be the results of the computations of T9 and p^{T9) in P and P' , 
respectively . Then, the following are true. 

— If Sp{Tff) = 0, Tff is equal to Tff (modulo variable renaming). 

— if Spr{T^ ) = 0, is equal to T(( (modulo variable renaming). 

The formal proof has yet to be completed, but the reasoning behind the 
proposition is based on the correspondence between the computation of T0 in 
P, and paths in the graph (m-tree with folds considered) . The Select Property is 
key in stating this soundness result; since the evaluation order is not affected by 
the partial evaluation, the result is the same in both P and P'. In some cases, 
when quantified terms are generalised during partial evaluation, the terms of 
the m-tree will have subterms of the form x = a which are eliminated earlier 
in the computation of T9 in P. However, in the computation of pa{T9) in P' , 
these extra binding terms are eliminated at equivalent points in the computation. 
The completeness result is a direct consequence of how the residual program is 
constructed by our procedure. 
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9 Discussion 

The algorithm for specialisation of a lazy higher-order functional logic language 
based on rewriting draws on and extends techniques developed in the speciali- 
sation of other languages. This is not surprising, considering that the language 
itself integrates several aspects of different computational models. In this section, 
we will both compare our technique with existing work, and note the techniques 
extracted from each. 

The global control described in this paper may be viewed as a version of the 
global control described by Martens and Gallagher in In this work, the 

m-tree is used for collecting the atoms for which specialised definitions have been 
constructed, in order to increase the specialisation. Less generalisation is neces- 
sary to ensure independence. Similarly, the terms for which we have constructed 
a specialised definition are stored in the m-tree in this work. The concepts from 
| IMGP.5I | have been extended to allow for nested functions and constraints. 

Conjunctive partial deduction [f.SdWh^ a refinement of partial deduction, 
allows partial evaluation of logic programs wrt conjunctions of literals, (instead 
of sets of literals). Handling the conjunction of literals allows for greater special- 
isation, since dependencies between literals are exploited. The results approach 
those available by unfold/fold transformation, with the advantages of lower com- 
plexity and easier control. This transformation procedure can be compared quite 
closely with the technique described in this paper; the functional counterpart of 
conjunctions of literals are nested terms, particularly nested terms containing the 
Boolean function &. In particular, we have adapted the correctness of renaming 
schemes from conjunctive partial deduction. In addition, an embedding relation 
ensures finite SLD-trees for the local control in this procedure. In a similar way, 
we impose an ordering on the redexes of a term in the computations between 
nodes of the m-tree. 

Supercompilation rr^T82i iThTsel and positive supercompilation 

transform functional programs, in the former, a strict first-order language 
named Refal, in the latter, a simpler lazy first-order functional languag^. 

Past work has noted similarities in the information propagation between the 
unfolding operation in partial deduction and the driving step in positive su- 
percompilation In positive supercompilation, partial process trees are 

constructed via driving. These trees are comparable to the m-trees in this work; 
indeed, in ^nm, Gliick and Sprensen note that this generalisation algorithm 
for positive supercompilation can be viewed as an instance of Martens’ and Gal- 
lagher’s technique for the global termination of partial deduction fM<"^Q5j . In 
partial process trees, transient ancestors (terms in the tree that are determinis- 
tically unfolded) are not checked in the generalisation of the partial process tree. 
In our procedure, these terms are elements of the computations in specialise and 
are not added to the m-tree. 

We have adapted the Whistle function of positive supercompilation for the 
generalisation of nested functions !g^ . Ghanges were necessary to reflect the 

In later work jHKP.k) Gliick and Klimov present supercompilation of a tail-recursive 
functional language. 
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unique problem of handling bound variables during generalisation. Furthermore, 
in supercompilation, Turchin was restricted only to representing negative binding 
constraints (bindings that failed) in the environments. As stated earlier, general 
constraints can represent information beyond bindings of variables, depending on 
the choice of constraint domains implemented in the partial evaluator. Neither 
positive supercompilation nor supercompilation have been defined for higher- 
order functional languages. However, deforestation | IWad9n| is able to transform 
both first-order and higher-order functional programs | |Mar9fi| . 

Recent work in the partial evaluation of narrowing-based functional-logic 
programs has been described in ^FV96I HFjV97). Alpuente et al. describe 
a partial evaluation procedure for narrowing-based functional logic programs 
which is based on partial deduction; incomplete narrowing trees are generated 
for the terms and subterms, and resultants are extracted from these trees. 

Clearly, since the narrowing-based and rewriting-based languages share com- 
mon features, the algorithms also show signs of similarity. Both techniques de- 
fined a closedness for the procedure which involves recursively searching the 
terms for user-defined functions. In our technique, this closedness condition is 
implicit in the correctness result. In addition, the local control of the partial 
evaluation for narrowing-based functional logic programs also uses the homeo- 
morphic embedding relation on the selected redexes to identify possibly infinite 
branches of narrowing trees. Furthermore, a renaming step is described as the 
second phase of the algorithm in I.\F.I\'97I to guarantee that lazy narrowing can 
execute a goal in the residual program; this is also necessary in our procedure. 

Finally, in the introduction, we presented a comparison of the information 
propagation techniques of different program transformers. As mentioned earlier, 
both partial deduction mu and supercompilation | |rur8ti| have the ability to 
propagate negative binding constraints. However, our technique allows the con- 
straint handling to represent more complex properties, depending on the con- 
straint domain(s) of the partial evaluator. In this way, we endeavour to obtain 
the degree of information propagation of generalized partial computation, where 
an automated theorem prover evaluates general conditions of conditional state- 
ments in the program We have not yet been able to obtain the degree of 

specialisation for the 91-function example as described in it is ongoing 

research to determine whether this can be obtained by partial evaluation with 
constraint solving. 

10 Conclusions and Further Work 

We have presented an algorithm for the partial evaluation of rewriting-based 
functional logic programs which uses constraint-based information propagation 
to obtain more precision during specialisation. The algorithm incorporates tech- 
niques from the partial evaluation of logic programs with techniques developed 
for positive supercompilation in order to guarantee termination of the algorithm. 
The results of the implementation of the algorithm in Escher show that the par- 
tial evaluator generates KMP pattern matching programs, thus passing the KMP 
test. This is the first use of constraint-based partial evaluation for functional logic 
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languages. Future work will include extending the constraint domain to Boolean, 
Herbrand, linear, and non-linear constraint domains in order to explore the pos- 
sible increased specialisation for some programs. 
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Abstract. We provide a first investigation of the specialisation and 
transformation of tabled logic programs through unfolding. We show 
that — surprisingly — unfolding, even determinate, can worsen the ter- 
mination behaviour in the context of tabling. We therefore establish two 
criteria which ensnre that such mishaps are avoided. We also briefly 
discuss the influence of some other transformation techniques on the 
termination and efficiency of tabled logic programs. 



1 Introduction 

The use of tabling in logic programming is beginning to emerge as a powerful 
evaluation technique, since it allows bottom-up evaluation to be incorporated 
within a top-down framework, combining the advantages of both. Although the 
concept of tabled execution of logic programs has been around for more than 
a decade (see [23), practical systems based on tabling are only beginning to 
appear. Early experience with these systems suggests that they are indeed prac- 
tically viable. In particular the XSB system [23, based on SLG-resolution [3], 
computes in-memory queries about an order of magnitude faster than current 
semi-naive methods, and evaluates Prolog queries with little reduction in per- 
formance when compared to well-known commercial Prolog systems. 

At a high level, top-down tabling systems evaluate programs by recording 
subgoals (referred to as calls) and their provable instances (referred to as an- 
swers) in a table. Predicates are designated a priori as either tabled or nontabled. 
Clause resolution, which is the basic mechanism for program evaluation, proceeds 
as follows. For nontabled predicates the call is resolved against program clauses. 
For tabled predicates, if the call is new to the evaluation, it is entered in the 
table and Prolog-style program clause resolution is used to compute its answers 
which are also recorded in the table. If, on the other hand, a varianfl of the call is 

^ Tabling evaluation methods can be based either on variant checks, as SLG-resolution 
is, or on subsumption checks. Throughout this paper, unless otherwise specified, we 
assume tabling based on variance, and we refer the reader to (3 Section 7.1 for a 
discussion on some of the issues that are involved in this choice. 

Norbert E. Fuchs (Ed.): LOPSTR’97, LNCS 1463, pp. 189-EII3> 1998. 
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already present in the table, then it is resolved against its recorded answers. By 
using answer tables for resolving subsequent invocations of the same call, tabled 
evaluation strategies prevent many cases of infinite looping which normally oc- 
cur in Prolog-style SLD evaluation. As a result, termination characteristics of 
tabling-based logic programming systems are better than those of Prolog 0 . 

Given the relative novelty of tabling-based implementations, many promising 
avenues for substantially improving the performance of tabled programs remain 
to be explored. Research in this topic has mainly addressed issues related to 
finding efficient data structures for tabling P2], or suggesting low-level modi- 
fications of the SLG-WAM In this paper we deviate from this path and 
investigate issues related to the optimisation of tabled programs using more 
portable techniques such as specialisation through unfolding or similar program 
transformations . 

Program transformation is by now a widely accepted technique for the sys- 
tematic development of correct and efficient programs. Given a program, the aim 
of program transformation is to produce a more efficient program which solves 
the same problem, that is, which is equivalent in meaning to the original one 
under a semantics of choice. Various systems for program transformation have 
been developed, usually based on the use of the fold/unfold framework. This 
framework dates back to at least |5|, has been introduced to the logic program- 
ming community in a seminal paper of Tamaki and Sato has since been the 
subject of considerable research (see e.g. the references in |[S|), and has been suc- 
cessfully used in many partial evaluators for Prolog-style execution PSIBIIESIIS!. 
Unfortunately, no methodology for the transformation or specialisation of tabled 
logic programs exists. All techniques stay within the context of untabled execu- 
tion. Initially, one may expect that results established in the “classic” (S)LD 
setting more or less carry over. This, however, turns out to be far from obviously 
true as the differences between the execution models are significant. 

In this paper, we mainly concentrate on issues related to the safety of un- 
folding in tabled logic programs. We do so because in the context of program 
specialisation, unfolding is the most important ingredient. For instance, partial 
deduction HZ] basically only employs unfolding. In untabled execution of logic 
programs unfolding is not problematic. For example, it preserves both the least 
Herbrand model and set of computed answer substitutions semantics and — 
even in the context of the unfair Prolog selection rule — it cannot worsen the 
(universal) termination behaviour of a program EH- Under tabled execution, 
however, unfolding — even determinate — may transform a terminating pro- 
gram into a non-terminating one ! Naturally, this is a situation that better be 
avoided. 

To reason about unfolding of tabled logic programs, we describe a framework 
that captures their termination (under the left-to-right selection rule) and define 
applicability conditions that ensure the intended equivalence property between 
the original program and the transformed one. Using this framework we prove 
that certain non-trivial and commonly used in practice types of unfolding are 
safe with respect to termination. 
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In summary, our results regarding unfolding in the context of tabled execution 
are as follows: 

— We prove that left-most unfolding or unfolding without any left-propagation 
of bindings preserves termination of tabled logic programs. 

— We show that even though left-propagation of bindings through unfold- 
ing can worsen the termination characteristics of a tabled programs, left- 
propagation of grounding substitutions is safe wrt termination. 

The rest of the paper is organised as follows. In the next section we introduce 
some preliminaries and in Section Elwe show through an example how unfolding 
endangers termination of tabled programs. To reason about preservation of ter- 
mination by unfolding, in Section 0we introduce the notion of quasi-termination 
of tabled programs, and based on this notion in Section 0we prove the above 
results. We end with an extended discussion of the effect that some other com- 
monly used transformation techniques have on the termination and efficiency of 
tabled programs. 



2 Preliminaries 

We denote by Bp the non-ground extended Her brand bas^l (i.e. the set of 
atoms modulo the variant equivalence relation « as defined in 0)- We also define 
the following notations: the set of variables occurring inside an expression F is 
denoted by vars{F), the domain of a substitution 6 is defined as dom{9) = {X \ 
X/t G 6} and the range of 9 is defined as ran{9) — {Y | X/t G 9 AY G uars(t)}. 
Finally, we also define vars{9) = dom{9) U ran{9) as well as the restriction 6*|v 
of a substitution 0 to a set of variables V by 9\v = {X/t \ X/t G 9 A X G V}. 
By mgu{A, B) we denote a substitution 9 which is an idempotent (i.e. 99 — 9) 
and relevant (i.e. vars{9) C vars{A) U vars{B)) most general unifier of two 
expressions A and B. In the remainder of this paper we will use the notations 
hd{C),bd{C) to refer to the head and the body of a clause C respectively. 

A program transformation process starting from an initial program Pg is a 
sequence of programs Pq, . . . , Pn, called a transformation sequence, such that 
program Pk+i, with 0 < k < n, is obtained from Pk by the application of 
a transformation rule, which may depend on Pq, . . . , Pk- Let us now formally 
define unfolding, slightly adapted from p] (Rl)]. 

Definition 1. (Unfolding rule) Let Pk contain the (renamed apart) clause 
C = H F,A,G, where A is a positive literal and where F and G are (possibly 
empty) conjunctions of literals. Suppose that: 

^ In some given language, usually inferred from the program and queries under consid- 
eration. The superscipt E is used to prevent confusion with the standard definition 
of the Herbrand base. 
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1. {Hi, . . . , _D„}, with n > 0, 0 are all the clauses in a program Pj, with 
0 ^ J ^ such that A is unifiable with hd{Di), . . . ,hd{Dn), with most 
general unifiers 9i, . . . , On, and 

2. Ci is the clause {H ^ F,bd{Di),G)0i, for i= 1, . . . ,n. 

Each binding in Oi\^ars{F)uvars{H) is called a left-propagated binding. 

If we unfold C wrt A (using Hi, , Dn) in Pj, we derive the clauses C\, . . . ,Cn 
and we get the new program Pk+i = {Pk \ jC'}) U (Ci, . . . , Cn}- When n = 1, 
i.e., there is exactly one clause whose head is unifiable with A, the unfolding is 
called determinate. Finally, left-most unfolding unfolds the first literal in bd{C) 
(i.e. F is empty 

For example, given Hq = (p 9 A r, g <— r}, we can unfold p ^ q Ar wrt q 
using Pq, deriving the clause p ^ r Ar and we get Hi = jp <— r A r, g ^ r}. 

Note that, in contrast to m, we treat programs as sets of clauses and not 
as sequences of clauses. For pure tabled programs, the order (and multiplicity) 
of clauses makes no difference for the termination properties we are (primarily) 
interested in preserving (the order of clauses and the order of solutions has no 
incidence on universal — i.e. wrt the entire computation process — termination; 
it might however affect their existential termination, as discussed in Section [6. 41 . 

3 Unfolding Endangers Termination 

In the context of program specialisation, unfolding is the most important trans- 
formation rule. For instance, partial deduction HZl basically only employs un- 
folding (although a limited form of implicit folding is obtained by the Lloyd and 
Shepherdson closedness condition, see e.g. (H)- So in order to study speciali- 
sation and transformation of tabled logic programs we will first concentrate on 
the behaviour of unfolding. 

In logic programs — with or without negation — executed under SLD(NF) 
(or variants thereof) any unfolding is totally correct and does not modify the 
termination behaviour of the program (see e.g. |l?sjL In the context of a fixed, 
unfair selection rule, like Prolog’s left-to-right rule, unfolding can even improve 
termination (cf. but never worsen it. In the Prolog setting (i.e. if we take 

clause order, depth-first strategy into account), unrestricted unfolding can only 
affect the existential termination of programs, because unfolding can change the 
order of solutions. Moreover, determinate unfolding does not modify the back- 
tracking behaviour 0 and can thus only be beneficial for efficiency (leading to 
smaller SLD(NF)-trees). 

However, while unfolding is not problematic in the ordinary setting, its in- 
fluence on efficiency and termination becomes rather involved in the context of 

^ m (Ri)] actually stipulates that n > 0 and thus does not allow the selection of an 
atom which unifies with no clause. However, the “deletion of clauses with finitely 
failed body” rule m (R12)] can be used in those circumstances instead. We can 
thus effectively allow the case n = 0 as well. 

Note that left-most unfolding is allowed to instantiate the head, while unfolding 
without left-propagation is not. 
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tabled execution. On the one hand, contrary to Prolog-style execution, any un- 
folding of Datalog (or propositional) programs is safe wrt termination, as SLG 
terminates on such programs |2|. On the other hand however, as soon as func- 
tion symbols are introduced, unfolding, even determinate, can ruin termination. 
We suppose from now on, for simplicity of the presentation, that all predicates 
are tabled. We also suppose that the predicate = /2 is defined by the clause 
= (X,X) 

Example 1. Let P be the following program. 
p{X)^p{Y),Y = f{X) 

Under a left-to-right selection rule, this program fails finitely (the selected atom 
is a variant of a call for which no answers can be produced) and thus terminates 
for e.g. the query <— p{X). The following program, P', obtained by (determi- 
nately) unfolding the atom Y — f{X) does not (see Fig. ^1: 

p{X)^p{f{X)) 



pififim 



PifififiX)))) 

Fig. 1. SLG- forests for the query ^ p{X) before and after unfolding Example Q 



P(X) p{X) p{f{X)) 

P: j P': j 

p{Y),Y = f{X) p{f{X)) pififiX))) 



This “infinite slowdown” is of course highly undesirable. In the remainder 
of this paper we develop criteria which ensure that termination is preserved by 
unfolding. 



4 Quasi-Termination 

We start out with a formalisation of termination (under a left-to-right selection 
rule) in the setting of tabled execution of logic programs. 

Definition 2. (call graph) Given a program P, the call graph of P is the 
graph whose nodes are the elements of Bp and which contains a directed edge 
from A to B, denoted by A B (or more precisely A —^p^c,i B), iff there 
exists a (renamed apart) clause C = iL <— i?i, . . . , Bn in P such that 

• A and H unify via an mgu 0 and 

• B ra BiOOi . . .9i-i where Oj is a computed answer substitution (c.a.s.) for 

pu{^ Bjeei...0j_i}. 
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By ^*p we denote the transitive and reflexive closure of ^p. Given an atom 
A G Bp, we also define A*p = {B G Bp \ A ^*p B}. A subset S of Bp is said 
to be closed iff A B, for some A G S, implies that B G S. 



Example 2. Let P be the following program. 
p{a) ^ 

p{X) ^ q{X),p{X) 
q{a) ^ 
q{b) ^ 

We have that e.g. p{a) ^p q{a), p{a) ^p p{a) and p{a)* = {p{a),q{a)}. The 
full call graph is depicted in Fig. 0 



q{X) p{X) q{b) 

O ^ O o 

i\t 

O M O o 

fia) P(a)| I P{b) I I 

Fig. 2. Call graph of P for Example El 



We now define the notion of quasi-termination of tabled logic programs (a 
term borrowed from defining a similar notion in the context of termination 
of off-line partial evaluation of functional programs). 

Definition 3. (quasi-termination) Let P be a program and S a subset of 
Bp. P is said to be quasi-terminating wrt S iff for every A G 5 the set Ap is 
finite. Also, P is quasi-terminating iff it is quasi-terminating wrt Bp. 

E.g. the program P from ExampleElis quasi-terminating wrt the entire Bp. 

The above definition in essence means that, starting from S, evaluation pro- 
duces only a finite number of different calls. Equivalently, every LD-tree (i.e. 
an SLD-tree using the left-to-right selection rule) for P U A}, A G 5, con- 
tains only a finite number of selected atoms modulo variable renaming. It is also 
equivalent to stating that every SLG-forest using the left-to-right selection rule 
for P U {<— A}, A G 5, contains only finitely many SLG-trees. This means that 
non-termination can only occur if a call produces an infinite number of computed 
answers. Hence, universal termination holds iff we have quasi-termination and 
there are only finitely many c.a.s. for the selected atoms (for a more thorough 
discussion on termination issues in tabled execution see jOj) Thus, if a trans- 
formation sequence preserves the set of c.a.s. — something which holds for all 
the transformations we are interested in — then preserving quasi-termination is 
equivalent to preserving universal termination. 
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5 Preserving Quasi- Termination While Unfolding 

In the problematic Example 0we have, by unfolding, left-propagated the binding 
Y/ f{X) on the atom p{Y). Without left-propagation the sequence of c.a.s. under 
untabled LD-resolution is not changed (see e.g. m) and even the behaviour of 
problematic non-logical built-in’s like var/1 is preserved (see e.g. jHl ES])- We 
first prove that such restricted unfolding is also safe wrt quasi-termination of 
tabled logic programs. 

Theorem 1. Let S C Bp, and let P' be obtained from P by a sequenee of left- 
most unfolding steps and unfolding steps without left-propagated bindings. 

If P is quasi-terminating wrt S then so is P' . 

Proof. In Appendix 0 □ 

We will now explore extensions of this basic result, as the left-propagation of 
bindings can often be highly beneficial and, as it allows the evaluation to focus 
on only the relevant data, can lead to a dramatic pruning of the search space 
(see e.g. |T3). 

However, considerable care has to be taken when performing instantiations 
in the context of tabled logic programs. We have already illustrated the danger 
of unfolding with left-propagation of bindings. Note, however, that if we just 
instantiate the query <— p{X) to ^ p{f{X)), but leave the clause in program P 
of Example 0 unmodified, quasi-termination is not destroyed. So, one might 
hope that instantiating a query and leaving the program unmodified should 
be safe wrt quasi-termination. Alas, there is another more subtle reason why 
left-propagation of bindings can endanger termination. Termination of ordinary 
SLD(NF)-resolution has the following property. 

Definition 4. The termination of an evaluation strategy £ is closed under sub- 
stitution iff whenever in a program P a query <— Q terminates under £, then so 
does every instanee <— Q9 of it. 

Surprisingly, this is not a property that carries over to tabled evaluation! We 
show that termination (and quasi-termination) of SLG-resolution is not closed 
under substitution with the following counterexample. 

Example 3. Let pj2he & tabled predicate defined by the following clause: 
p{f{X),Y)^p{X,Y) 

Then (as shown in Fig. 0) both under variant- and subsumption-based tabling, 
the query ^ p{X, Y) terminates while ^ p{X, X) does not! 

As a side-comment, note that, because termination of tabled execution is 
not closed under substitution, tabling systems based on (forward) subsumption 
have unpredictable termination characteristics in general (termination of queries 
depends on the chronological order of encountering tabled calls). At least from 
a purely practical perspective, this is can be seen as an advantage of tabling 
systems based on variance over those based on subsumption. 
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p{X,Y) 



p{X,X) 



PiXJiX)) 



p{X,f{f{X))) 



X = f(X') 



X = f(X') 



X = f(X') 



X = f(X') 



p(X',Y) p(X',f(X')) p(X',f(f(X'))) p(X',f(f(f(X')))) 

Fig. 3. SLG-forests for the queries ^ p(X, Y) and ^ p(X, X). 



Example |3| can be adapted to show that even left-propagation of bindings 
which do not introduce any new structure can be dangerous: t *— p{X, Y),X = Y 
terminates while a program containing t <— p(X,X) does not. Moreover, a 
variant of the same example shows that even left-propagation of bindings to 
variables that appear only in the head can ruin termination as can be seen by 
the unfolding of the atom Z = f{X) in the following clause: 
p{Z,Y)^p{X,Y),Z = f{X) 

So, although left-propagation and instantiation in the context of tabled exe- 
cution of logic programs seems like a hopeless endeavour, we will now formally 
establish that a non-trivial class of substitutions can actually be safely left- 
propagated. 

Definition 5. A substitution 7 is called a grounding substitution ijf for all 
XjtG"f we have that t is a ground term. 

We say that 7 is structurally simpler than another grounding substitution a, 
denoted by ^ <a, iff for every X/s G 7 there exists a Y/t G a such that s is a 
subterm of t. 

Note that any term is considered a subterm of itself. 

Example 4 - Let a = {X/ f{a), Y/b} be a grounding substitution. Then a itself as 
well as e.g. {Z/a, X/b} and {X j f{a),Yl f{a), Z fb, V/a} are structurally simpler 
than (7 (it would be possible to disallow the last case by a more refined definition, 
but it is not required for our purposes). However, neither {Z/ f(f{a))} nor {X/c\ 
are structurally simpler than cr. 

The interest of the relation <, in the context of quasi-termination, derives 
from the following proposition. 

Lemma 1. Let a be a grounding substitution and let A be an atom. Then the 
set {H'7 \ A' A and 7 ^ cr} is finite up to variable renaming. 

Proof. Let vars(A') = {Xi, . . . , Xn} and let 7 < cr. Then we either have Xi'y = Xi or 
we have that = L where L is a subterm of some Si with Y / Si G a. Now, as there 
are only finitely many bindings Y/s in a and as for each such s there are only finitely 
many subterms, we can only construct finitely many different atoms T'7 up to variable 

□ 



renaming. 
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Next, we prove the following lemma, capturing an interesting property of 
grounding substitutions. Together with Lemma 0 this will enable us to show 
that left-propagation of grounding substitutions is safe wrt quasi-termination. 

Lemma 2. Let j be a grounding substitution and let <— Qy have a derivation 
leading to <— RQ' . Then <— Q has a corresponding derivation leading to <— RQ 
such that for some grounding substitution 7' < 7, RQ' « RQj'. 

Proof. In Appendix El LI 

We will now put the above lemmas to use. 

Theorem 2. Let P be a program, A an atom and let a be a grounding substi- 
tution. If A*p is finite then so is Aaf, . 

Proof. By Lemma 13 we know that for every A — B we can only have Aa — >p B'y 
for grounding substitutions 7 ^ cr. This means that A = {B^7 \ B £ A* /\ B' ~ B and 
7 < cr} is a safe approximation (i.e. a superset) of Aa*p. We can apply Lemma 0 to 
deduce that A is finite whenever A* is. □ 

Theorem 3. Let S C Bp, and let P' be obtained from P by left-most unfolding 
steps and unfolding steps such that each left-propagated binding is a grounding 
substitution. If P is quasi-terminating wrtS then P' is quasi-terminating wrtS. 

Proof Sketch. The full proof is obtained by adapting the proof of TheoremQto make 
use of Theorem |3 for the left-propagated grounding substitutions. The only tricky 
aspect is that, when instantiating a body atom B of a clause C to B7, Theorem| 3 only 
tells us that if B was terminating in P then By is also terminating in P. To actually 
infer that By also terminates in P' = P\CU{C'i, . . . , Cn} we have to take into account 
that 7 might be repeatedly applied, i.e. whenever a derivation of B uses the clause C. 
This is no problem, however, because 7^ ^ 7 => y'y ^ 7, meaning that Lemma| 2 l(and 
thus also Theorem 0 ) also holds when the grounding substitution is repeatedly applied. 

□ 

A similar result does not hold when using tabling based on subsumption 
rather than variance as shown by the following example. 

Example 5. The following program is quasi-terminating wrt {g} when using sub- 
sumption checks (but not when using variant checks). 

piX)^p{f{X)) 
q^ p{X),X = a 

Unfolding X = a in the last clause will result in the left-propagation of the 
grounding substitution {X/a} and produce the clause q ^ p{a). The resulting 
program is no longer quasi-terminating wrt {q} when using subsumption checks 
only (term-depth abstraction in the spirit of OLDT-resolution is then also re- 
quired to ensure termination). 
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6 Extensions and Efficiency Considerations 

6.1 Mixing Tabled and Prolog-Style Execution 

So far we have assumed that all predicates are tabled. When not all predicates 
are tabled, then one can safely left-propagate any substitution on nontabled 
predicates if they do not call tabled predicates themselves (otherwise a problem 
similar to Example 0 can arise; e.g. through left-propagation oi X/Y on the 
nontabled call q{X,Y), where q/2 is defined by q{X,Y) ^ p{X,Y)). 

One also has to ensure that unfolding does not replace a tabled predicate by 
a nontabled one. Otherwise, the termination might be affected as the following 
example shows. 

Example 6. In program P of Figure E] where only t/1 is tabled all queries finitely 
fail; so the program is terminating. However, by determinate unfolding of the 
first clause wrt to t{X), we end up with the program P' on the right side of the 
same figure for which the query <— p{X) is non-terminating. 





p{X) ^ t{X) 




p{X) ^ p{X) 


P : 




P' : 






t{X) ^ p{X) 




t{X)^p{X) 



Fig. 4. P' is obtained from P by unfolding wrt t{X). 



6.2 Polyvariance and Renaming 

Most partial evaluators and deducers use a technique called renaming (see e.g. 
HHP) to remove redundant structure from the specialised program but also to 
ensure the independence condition of m (thus avoiding the use of abstraction 
instead), thereby allowing unlimited polyvariance. In the context of SLD(NF)- 
execution, such additional polyvariance might increase the code size but is always 
beneficial in terms of the size of the (run-time) SLD(NF)-trees. The following 
example shows that, again, in the context of tabled execution, appropriate care 
has to be taken. 

Example 7. Let P be the following program, containing some arbitrary definition 
of the predicate p/2. 

q{X,Y) ^ p{a,Y),p{X, b) 

After specialising one might obtain the following program along with definitions 
for pa/l and ph/l. 

q{X,Y) ^ Pa{Y),p,{X) 

For the query ^ q{a, b) the call p{a, b) will only be executed once against program 
clauses in the original program while in the specialised program both Pa(b) and 
Pb{a) will be executed. The specialised program might thus actually be less 
efficient than the original one ! 
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A conservative, but safe, approach is to apply renaming only when the atoms 
are independent — it should just be used to remove superfluous structure from 
the specialised program while the independence condition should be ensured via 
abstraction. 

Similar difficulties can arise when performing conjunctive partial deduction 
din] (as well as tupling or deforestation), which specialises entire conjunctions 
and renames them into new atoms. Indeed, renaming a conjunction into a new 
atom might diminish the possibility for tabling, i.e. the possibility of reusing 
earlier computed results. If e.g. we rename the conjunction p{X,Y) A q{X,Z) 
into pq{X, y, Z) then the query ^ p(a, b) A q{a, c) can reuse part of the results 
computed for ^ p(a, b) A g(a, d), while the renamed query ^ pq{a, 6, c) cannot 
reuse results computed for ^ pq{a, b, d). 

6.3 A Note on the Efficiency of Unfolding with Left-Propagation 

In untabled execution the left-propagation of substitutions usually prunes the 
search space, and thus can only be beneficial for the efficiency of query evalu- 
ation. In tabled execution, as some program clause resolution is substituted by 
resolution against answers that are materialised in tables and can be retrieved 
without recomputation, the left-propagation of (even grounding) substitutions 
may sometimes worsen performance (of course it can also vastly improve it). 

For example, in many tabled-based program analysers, it is usual practice to 
employ what is known as the most-general call optimisation i.e., compute 
analysis information for the most general form of each predicate and then retrieve 
this information from the tables, appropriately filtering it by explicit equality 
constraints. The basic idea of the approach can be illustrated by two simple 
abstract interpreters from 0 shown in Figure 0 The definition of the fact /I 
predicate (which can be the only tabled predicate) is the same for both inter- 
preters and assumes that each program clause H <— Gi , . . . , G„ is represented 
as a fact of the form pc{H, [Gi, . . . , G„]) . A top-level query ^ fact{X) trig- 



fact(Head) <— 

pc{Head, Body) , prove(Body) 
prove{[]) <— 
prove([G\Gs]) <— 

fact{G),prove{Gs) 



fact(Head) ^ 

pc{Head, Body) , prove(Body) 
prove{[\) <— 
prove(\G\Gs\) <— 

fact{GenG), GenG = G,prove{Gs) 



Fig. 5. Two abstract meta-interpreters for concrete evaluation. 



gers the computation of the program’s non-ground minimal S-model that gets 
recorded in the tables. Only one such table is created when using the inter- 
preter with the most-general call optimisation (shown on the right side of the 
figure). However, using the interpreter on the left side of the figure the number 
of tables depends on the number of distinct (up to variance) instantiation pat- 
terns for calls to fact /I. Besides the overhead in space, this has an associated 
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performance cost especially in complicated abstract domains (see e.g. pQ E] for 
more information and experimental evaluation of this technique over a variety 
of domains). 

6.4 Taking Program Clause Order into Account 

In existing implementations of tabling, program clause resolution is performed 
in a style similar to Prolog’s; i.e. visiting clauses according to their textual or- 
der. Consequently, in tabled programs which are not quasi-terminating, non- 
determinate unfolding (even without left-propagation) can worsen their existen- 
tial termination. This, in turn, might affect their behaviour under optimisations 
which involve pruning, such as existential negation (c.f. m)- We illustrate the 
problem by the following example, which extends a similar example given in 



Example 8. Assuming a scheduling strategy that returns answers to calls as soon 
as these are generated, program P of Figure El produces the answer X — 0 for 
the query <— p{X), and then loops, while program P' loops without producing 
any answers. 





Fig. 6. P' is obtained from P by unfolding wrt r. 



7 Discussion 

We conclude with a brief discussion of a possible application of this work, namely 
optimising integrity checking upon updates in recursive databases, by specialis- 
ing meta-interpreters. For hierarchical databases successful results have already 
been achieved in m- Unfortunately, moving to recursive databases has proven 
to be difficult, because the loop check — which is necessary for termination — 
requires the use of the ground representation when using SLD(NF)-execution. 
This imposes a large initial overhead and leads to further difficulties in terms 
of specialisation [II .’ll K|. However, by writing the integrity checker in a tabled 
environment we can use the non-ground representation and together with the 
techniques explored in this paper, one might obtain effective specialised update 
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procedures even for recursive databases. Note that in the setting of deductive 
databases left-propagation of grounding substitutions corresponds to the well- 
known optimisation principle of making selections first, and thus occurs very 
naturally. 

Acknowledgements 

Michael Leuschel and Konstantinos Sagonas are post-doctoral fellows of the Fund for 
Scientific Research - Flanders Belgium (FWO). Michael Leuschel was also partially 
supported by the Belgian GOA “Non-Standard Applications of Abstract Interpreta- 
tion”. Bern Martens is a post-doctoral fellow of the K.U. Leuven Research Council. We 
thank Danny De Schreye and Stefaan Decorte for interesting discussions, ideas and 
comments. 



References 

[1] K. Benkerimi and P. M. Hill. Supporting Transformations for the Partial Evalua- 
tion of Logic Programs. Journal of Logic and Computation, 3(5):469-486, October 
1993. 

[2] R. M. Burstall and J. Darlington. A Transformation System for Developing Re- 
cursive Programs. Journal of the ACM, 24(l):44-67, January 1977. 

[3] W. Chen and D. S. Warren. Tabled Evaluation with Delaying for General Logic 
Programs. Journal of the ACM, 43(l):20-74, January 1996. 

[4] M. Codish, M. Bruynooghe, M. Garci'a de la Banda, and M. Hermenegildo. Ex- 
ploiting Goal Independence in the Analysis of Logic Programs. Journal of Logic 
Programming, 32(3):247-262, September 1997. 

[5] M. Codish, B. Demoen, and K. Sagonas. Semantic-Based Program Analysis for 
Logic-Based Languages using XSB. K.U. Leuven Technical Report CW 245. De- 
cember 1996. 

[6] S. Decorte, D. De Schreye, M. Leuschel, B. Martens, and K. Sagonas. Termination 
Analysis for Tabled Logic Programming. In N. Fuchs, editor. Proceedings of LOP- 
STR’97: Logic Program Synthesis and Transformation, LNCS, Leuven, Belgium, 
July 1997. Springer- Verlag. 

[7] M. Falaschi, G. Levi, C. Palamidessi, and M. Martelli. Declarative Modeling of the 
Operational Behavior of Logic Languages. Theoretical Comput. Sci., 69(3):289- 
318, 1989. 

[8] J. Gallagher. A System for Specialising Logic Programs. Technical Report TR- 
91-32, University of Bristol, November 1991. 

[9] J. Gallagher. Tutorial on Specialisation of Logic Programs. In ACM SIGPLAN 
Symposium on Partial Evaluation and Semantics -Based Program Manipulation, 
pages 88-98, Copenhagen, Denmark, June 1993. ACM Press. 

[10] J. Gallagher and M. Bruynooghe. Some Low-Level Source Transformations for 
Logic Programs. In M. Bruynooghe, editor. Proceedings of the Second Workshop 
on Meta-programming in Logic, pages 229-244, Leuven, Belgium, April 1990. 

[11] R. Gliick, J. Jprgensen, B. Martens, and M. H. Sprensen. Controlling Con- 
junctive Partial Deduction of Definite Logic Programs. In H. Kuchen and 
S. Swierstra, editors. Proceedings of the International Symposium on Program- 
ming Languages, Implementations, Logics and Programs (PLILP’96), number 




202 



Michael Leuschel et al. 



1140 in LNCS, pages 152-166, Aachen, Germany, September 1996. Springer- 
Verlag. Extended version as Technical Report CW 226, K.U. Leuven. Accessible 
via http: //www. cs .kuleuven. ac .be/~lpai. 

[12] C. K. Holst. Finiteness Analysis. In J. Hughes, editor, Proceedings of the 5th ACM 
Conference on Functional Programming Languages and Computer Architecture 
(FPCA), number 523 in LNCS, pages 473-495. Springer- Verlag, August 1991. 

[13] M. Leuschel and D. De Schreye. Towards creating specialised integrity checks 
through partial evaluation of meta-interpreters. In Proceedings of PEPM’95, the 
ACM Sigplan Symposium on Partial Evaluation and Semantics- Based Program 
Manipulation, pages 253-263, La Jolla, California, June 1995. ACM Press. 

[14] M. Leuschel, D. De Schreye, and A. de Waal. A conceptual embedding of fold- 
ing into partial deduction: Towards a maximal integration. In M. Maher, edi- 
tor, Proceedings of the Joint International Conferenee and Symposium on Logic 
Programming JICSLP’96, pages 319-332, Bonn, Germany, September 1996. MIT 
Press. Extended version as Technical Report CW 225, K.U. Leuven. Accessible 
via http: //www. cs .kuleuven. ac .be/~lpai. 

[15] M. Leuschel and B. Martens. Partial deduction of the ground representation 
and its application to integrity checking. In J. W. Lloyd, editor. Proceedings of 
ILPS’95, the International Logic Programming Symposium, pages 495-509, Port- 
land, USA, December 1995. MIT Press. Extended version as Technical Report 
CW 210, K.U. Leuven. Accessible via http://www.cs.kuleuven.ac.be/~lpai. 

[16] M. Leuschel and D. Schreye. Logic program specialisation: How to be more spe- 
cihc. In H. Kuchen and S. Swierstra, editors. Proceedings of the International 
Symposium on Programming Languages, Implementations, Logics and Programs 
(PLILP’96), number 1140 in LNCS, pages 137-151, Aachen, Germany, Septem- 
ber 1996. Springer- Verlag. Extended version as Technical Report CW 232, K.U. 
Leuven. Accessible via http : / /www . cs . kuleuven . ac . be/~lpai. 

[17] J. W. Lloyd and J. C. Shepherdson. Partial Evaluation in Logic Programming. 
Journal of Logic Programming, 11(3 & 4):217-242, October/November 1991. 

[18] A. Pettorossi and M. Proietti. Transformation of Logic Programs: Foundations 
and Techniques. Journal of Logic Programming, 19 & 20:261-320, May/July 1994. 

[19] S. Prestwich. An Unfold Rule for Full Prolog. In K.-K. Lau and T. Clement, ed- 
itors, Logic Program Synthesis and Transformation: Proceedings of LOPSTR’92, 
Workshops in Computing, Manchester, U.K., 1992. Springer- Verlag. 

[20] S. Prestwich. The PADDY Partial Deduction System. Technical Report ECRC- 
92-6, ECRC, Munich, Germany, 1992. 

[21] M. Proietti and A. Pettorossi. Semantics Preserving Transformation Rules for Pro- 
log. In Proceedings of the Symposium on Partial Evaluation and Semantics-Based 
Program Manipulation, pages 274-284, Yale University, New Haven, Connecticut, 
U.S.A., June 1991. ACM Press. 

[22] I. V. Ramakrishnan, P. Rao, K. Sagonas, T. Swift, and D. S. Warren. Efficient 
Tabling Mechanisms for Logic Programs. In L. Sterling, editor. Proceedings of 
the 12th International Conference on Logic Programming, pages 687-711, Tokyo, 
Japan, June 1995. The MIT Press. 

[23] K. Sagonas. The SLG-WAM: A Search- Efficient Engine for Well-Eounded Eval- 
uation of Normal Logic Programs. PhD thesis, Department of Computer Science, 
SUNY at Stony Brook, August 1996. 

[24] K. Sagonas, T. Swift, and D. S. Warren. XSB as an Efficient Deductive Database 
Engine. In Proceedings of the ACM SICMOD International Conference on the 
Management of Data, pages 442-453, Minneapolis, Minnesota, May 1994. ACM 
Press. 




Preserving Termination of Tabled Logic Programs While Unfolding 203 



[25] D. Sahlin. Mixtus: An Automatic Partial Evaluator for Full Prolog. New Gener- 
ation Computing, 12(1):7-51, 1993. 

[26] H. Tamaki and T. Sato. Unfold/Fold Transformations of Logic Programs. In S.- 
A. Tarnlund, editor, Proceedings of the Second International Conference on Logic 
Programming, pages 127-138, Uppsala, Sweden, July 1984. 

[27] H. Tamaki and T. Sato. OLD Resolution with Tabulation. In E. Shapiro, editor, 
Proceedings of the Third International Conference on Logic Programming, number 
225 in LNCS, pages 84-98, London, July 1986. Springer- Verlag. 

A Proof of Theorem E 

Theorem IB Let S C Bp, and let P' be obtained from P by a sequence of 
left-most unfolding steps and unfolding steps without left-propagated bindings. 
If P is quasi-terminating wrt S then so is P'. 

Proof. Let P = Pq, Pi, . . . , Pr = P' he the transformation sequence used to obtain P' . 
We will prove by induction on the number of unfolding steps that in each intermediate 
program Pi the transitive closure of will be smaller or in the worst case equal to 
the transitive closure of ^p. This ensures that quasi-termination is indeed preserved. 
Let Pi+i be obtained from unfolding the clause C = H ^ F, A, G m Pi wrt A using 
Pi, . . . , Dn in Pj. Let B ^p^,c',k B' . C' C then we trivially have that this part 
of the call graph is not modified in Pi+i and we have B -^p^p.^,c' ,k B' . If on the other 
hand C = C' then we do not have B ^p.^^j^,c,k B' as C has been removed and has been 
replaced by the clauses {Ci, . . . , Cn} of Definition 0 Let C — H ^ B\, ..., Br with 
F = Bi, . . . , Bq-i, A = Bq and G = Pg+i, . . . , Br. There are now three possibilities: 

1. k < q. This implies that we have applied unfolding without left-propagation (for 
left-most unfolding no atoms can be to the left of the unfolded atom Bk). We 
know that B — >p^_,_^,c",fe B' for every C” G {Pi, . • . , Cn} and as no bindings are 
left-propagated, C" = P <— P A Rest. So, if n > 0 we have B — >Pi+i B' and the 
relation — is the same as ^p,. If n = 0 then the unfolding has possibly (there 
could be other ways to establish B —yp^ B') removed an arrow by going from -^p^ 
to —yp^pi (if it is actually removed then termination might be improved by pruning 
a non-terminating computation). 

2. k > q. In that case we have B — >Pi+i B' as unfolding preserves the set of com- 
puted answers. More precisely, by Definitional we know that B' — B^O where 
6 = 69i . . . Ok-i. Let us consider the following auxiliary clause Aux = aux{X) <— 
(Pi, . . . , Bq, . . . , Bk-i)9 where X are the variables in the body of Aux. We know 
that if we unfold Aux wrt Bq then the set of computed answers of e.g. the query 
<— Aux are preserved for any selection rule (so also the left-to-right one). This 
means that if <— (Pi, . . . , Bq, . . . , Bk-i)0 had the computed answer 9, then there 
must be a similar computed answer in the unfolded program and thus we also have 

P — >Pi+i Bk9. 

3. k = q. In that case we do not have P —yp-^^ B' — unless there was another way 
to establish P ^p^ B' — but it is replaced by several (possibly) new arrows. Let 
B' = Bk9 where 9 = 99\ . . .9)^-\. Let us first consider the case that unfolding 
without left-propagation has been performed, i.e. let Ca = H y— F,bd{Ds)9a,G9a 
be an unfolded clause where 9a = mgu{Bq,hd{Da)). If P ~^Pi^i,Ca,q+k' B" for 
0 < k' < I where I is the number of atoms in bd{Da) (i.e. we have a new arrow) 
then we must have B' —>ppDa,k' B": 
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Take the clause Ds = hd{Da) <— bd{Ds). Then the clause D'a — BqOa <— 
bd{Ds)9a is actually the resultant of a simple derivation of length 1 for <— Bq. 
Hence we can use e.g. Lemma 4.12 from jm to deduce that the computed 
answers of an instance <— of ^ Bq are the same when resolving with Da as 
when resolving with D'a- 

By the induction hypothesis we know that both B —>p^ B' and B' —>Pj B" were 
already in the transitive closure of — and thus the (possibly) new arrow B — 

B” was also already in the transitive closure of ^p. Now, in the case that left-most 
unfolding has been performed then F is empty and we have that Ca = H9a ^ 
bd{Da)9a, G9a with 9a = mgu{Bq,hd{Da)). Note that in contrast to unfolding 
without left-propagation the head of Ca is not necessarily equal to H. However, 
by a similar application of Lemma 4.12 from m we can deduce that this has no 
influence and we can apply the same reasoning as above. 

So, the only new arrows which are added were already in the transitive closure of — >p 
and the new transitive closure will thus be smaller (as some arrows might be removed) 
or equal than the one of — □ 



B Proof of Lemma El 

Lemma 3. Let A and H be atoms with vars{A) C\vars{H) = 0. Let a = {X/t} 
he a grounding substitution with X ^ vars{H) and 0 = mgu{A, H) and 9' = 
mgu{Aa, H). 

1. If X ^ dom{0) then H9' « HOa. 

2. If X G dom{9) then there exists a substitution 'y A a such that H9' « H9^. 

Proof. Point 1. If X ^ vars{A) then the property is trivial, as A and Aa are identical 
and X cannot be in ran(9) by idempotence of 9. 

Now let X £ vars[A). Because X ^ dom{9) and t is ground, we have, by definition 
of composition of substitutions, that 9a = Hence, {Aa)9a — A9a — H9a and 

9a is a uniher of Aa and H. Thus, as 9' is a most general uniher there must exist a 
substitution 7 ' such that 9'"f' = 9a and thus H9a is an instance of H9' . 

We now establish that H9' is in turn an instance of H9a, and thus prove that H9' ~ 
H9a. 

Let a' = a9' . This substitution is a uniher of A and H-. Ha' = H9' (because X ^ 
vars{H)) and Aa' = Aa9' = H9'. So there must exist a substitution 7 such that 
9'y = a' (because 9 is an mgu). This means, as X ^ dom(9), that X/t £ 7 , i.e. 7 = <77 
for some 7 because t is ground. Now, H9' = Ha' = H9^ = H9a^ and we have 
established that H9' is an instance of H9a. 

Point 2. We have that X/s £ 9 for some term s. We must have that, for some 7 , 
S 7 = t. Indeed, a9' is a uniher of A and H (see proof of Point 1.) and therefore for some 
substitution 7 we have 9f = a9' . Now, because X/t £ a9' (as t is ground) we have 
that S 7 = t. Let 7 = 7 |„ars(s) = {Xi/t\, . . . ,X„/tn}. We have that all L are subterms 
of t and, unless n = 1 and s = Xi, the ti must also be strict subterms. In other words, 
7 < ( 7 . We now prove that H9' « H9^. First, we have that X/t £ 67 , by dehnition of 

® This also holds if a is not a grounding substitution but if we have ran{a)r\vars{A) = 
0 instead. 
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7, and we can thus find some substitution 9 such that Oj — a9 (because t is ground). 
Thus Oy is a unifier of H and Aa\ {Aa)9'y = Aaa9 = (because t is ground) Aa9 — A6'y 
= HO'y. Thus 6^7 is an instance of the mgu 6' and H6'y and A9"f is an instance of 
H6' . Secondly, as already mentioned above, 9j = a9' . Now, because X ^ vars{H), 
H9' = Ha9' and thus we have: H9' = Ha9' = HO^y = H9yy'' for some 7" (because 
the ti are ground) and H9' is in turn an instance of H9y. □ 

The following lemma follows immediately from Definition 

Lemma 4 . Let 71 , 72 , cti , C2 he grounding substitutions such that dom(ai) H 
dom{a2) = 0 . If 71 ^ Ci and 72 < CT2 then 7172 ^ ctiCT2. 



Lemma 5. Let A and H be atoms with vars{A) n vars{H) = 0. Let a be a 
grounding substitution with dom{a) fl vars{H) = 0 and 9 = mgu{A, H) and 
9' = mgu{Aa, H). There exists a substitution 7 ^ cr such that H9' « H9y. 

Proof. By induction on the number of elements in a, using Lemma and Lemma^ 

□ 



The following lemma again follows immediately from Definition |3 
Lemma 6. If 71 < 72 and 72 ^ 73 then 71 < 73 
We can finally prove Lemma 0 

Proof of Lemma ^ By induction on the length of the derivation, using Lemma 
for each derivation step (and the fact that unifiers are relevant and the head of clauses 
renamed apart meaning that H9' « H9y implies BodyO' « BodyOy and thus also 
implies, together with A9' = H6' and A9y = A9y, that RQ' « RQy) and using 
Lemma ^ □ 



Unfolding the Mystery of Mergesort^ 



N. Lindenstrauss, Y. Sagiv, and A. Serebrenik 



Dept, of Computer Science 
Hebrew University 
Jerusalem, Israel 

{naomil , sagiv , alicser}@cs . huj i . ac . il 



Abstract. This paper outlines a fully automatic transformation for 
proving termination of queries to a class of logic programs, for which 
existing methods do not work directly. The transformation consists of 
creating adorned clauses and unfolding. In general, the transformation 
may improve termination behavior by pruning infinite branches from the 
LD-tree. Conditions are given under which the transformation preserves 
termination behavior. The work presented here has been done in the 
framework of the TermiLog system, and it complements the algorithms 
described in UH. 



1 Introduction 

This paper outlines a fully automatic method for proving termination for a 
certain class of logic programs for which the existing approaches (e.g., mm) 
do not work directly, but require some preliminary transformations. The work 
presented here has been done in the framework of the TermiLog system, and is 
an addition to the algorithms described in m 

We assume that we are given a program P and a query pattern n. By query 
pattern we mean an atom whose predicate appears in the program and whose 
arguments are b or /. An atom A in the extended Herbrand base Bp (for this 
notion see ra) is said to be an instance of a query pattern k if it has the 
predicate of k and the arguments at the positions of the 6’s in the pattern are 
ground. By termination of a query pattern n relative to the program, we mean 
that for each atom A that is an instance of k, the LD-tree of P U A} is 
finite. (Recall that the LD-tree is the SLD-tree with the leftmost selection rule.) 
In the next section, we will see that it is possible to have weaker requirements 
than groundness for positions of &’s in the query pattern, depending on the norm 
used for proving termination. For more details on termination analysis of logic 
programs see ™iii5iiia . 

To motivate our approach, consider the following example of the mergesort 
program, which is a common example in papers dealing with termination of logic 
programs (e.g., mm)- 
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Example 1. The following program sorts a list if we give a query with the pattern 
mergesort{b, /). 



mergesort([], []). 
mergesort([X], [X]). 

mergesort([X, Y|Xs], Ys) split([X, Y|Xs], Xls, X2s), 

mergesort(Xls, Yls), 
mergesort(X2s, Y2s), 
merge(Yls, Y2s, Ys). 

split([U],D)- 

split([X|Xs], [X|Ys],Zs) split(Xs, Zs, Ys). 
merge([], Xs, Xs). 
merge(Xs, [], Xs). 

merge) [X|Xs], [Y|Ys], [X|Zs]) X =< Y,merge(Xs, [Y|Ys],Zs). 
merge([X|Xs], [Y|Ys], [Y|Zs]) X > Y, merge([X|Xs], Ys, Zs). 

However, showing termination for the above program is not easy, and the usual 
approach is to transform the program before showing termination. For exam- 
ple, Pliimer m applies iterated unfolding to replace the recursive clause of 
mergesort with the following clause. 

mergesort([X, Y|Xs], Ys) split(Xs, Xls, X2s), 

mergesort ([X|Xls], Yls), 
mergesort ([Y|X2 s],Y2s), 
merge(Yls, Y2s, Ys). 

Ullman and Van Gelder m introduce two auxiliary predicates. Apt and Pe- 
dreschi | 2 | introduce an additional argument that forces termination of the pro- 
gram. For all these transformations, it is not clear how they could be generalized 
or incorporated in an automatic system for checking termination. 

In this paper, we show how to transform programs (for the purpose of show- 
ing termination) in a completely automatic way. The work reported here was 
done in the context of the TermiLog system wm for automatic termination 
analysis of logic programs. The transformation we present is triggered by a fail- 
ure of the TermiLog system to show termination. The rough idea is to identify 
nonrecursive subcases of a problematic predicate, and separate those cases from 
the general recursive case. For example, in the case of the mergesort program, 
the problematic predicate is split, and the nonrecursive cases that should be 
handled separately are those of applying split to either an empty list or a list 
with just one element. 

The transformation we present is based on constraint inference, creation of 
adorned clauses and unfolding. As in the case of unfolding, our transformation 
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can improve termination in the sense that it may prune infinite branches of the 
LD-tree. However, we also provide conditions guaranteeing that the transforma- 
tion preserves termination behavior, in the sense that the transformation neither 
prunes existing infinite branches nor adds new infinite branches. Therefore, the 
transformation makes it possible to reason about the termination of the original 
program. 

2 Inference of Monotonicity and Equality Constraints 

Automatic termination analysis relies on constraints among argument sizes. We 
use the following definition (cf. m)- 

Definition 1. () A linear symbolic norm for the terms created from an alpha- 
bet having a finite set of constants and function symbols, and a denumerably 
infinite set of variable symbols, is defined as follows. If the term is of the form 
/(Ti, . . . Tn), for a suitable functor f of arity n and terms T\, . . . T„, we define 

n 

||/(ri,...r„)|| = c + ^a.||T,|| (1) 

i=l 

where c and a\, ...an are non-negative integers that depend only on f/n. This 
also defines the norm of constants if we consider them as function symbols with 
arity 0. If the term is a variable, for example X , we define 

\\X\\=X 

that is, with each logical variable, we associate an integer variable to represent 
its norm. The same name is used for both the logical and integer variables, but 
the appropriate meaning will be clear from the context. 

From the definition, it follows that the linear symbolic norm of a term is a linear 
expression in its variables. 

Definition 2. () A term is instantiated enough with respect to a linear symbolic 
norm if the expression giving its linear symbolic norm is an integer. 

For simplicity, we use in this paper the term-size norm (cf. PI) for measuring 
sizes of arguments. The term-size norm is defined by setting, in (1), each Oi to 1 
and c to n. A term is instantiated enough according to the term-size norm if it 
is ground. However, our method applies to any linear symbolic norm. (See m 
for details — note that in general, an argument 6 in a query pattern does not 
necessarily denote a ground argument, but just an argument that is instantiated 
enough with respect to the given symbolic norm. So, for example, showing that 
the query pattern mergesortfb, f) terminates with respect to the list-size norm 
means that all queries with predicate mergesort and first argument instantiated 
to a list with finite length terminate. Such an argument need not be ground. 
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Note, by the way, that if a term is ground, it is instantiated enough with respect 
to any linear symbolic norm.) 

Methods for constraint inference are described in Ihlfl^mdl . We use mono- 
tonicity and equality constraints [^, which are relatively simple to infer. A mono- 
tonicity constraint l{i, j) for a predicate p means that the size of the fth argument 
of p is less than the size of the jth argument of p. Similarly, an equality constraint 
eq{i,j) for a predicate p means that the ith and jth arguments of p have equal 
sizes. 



A conjunctive constraint for a predicate is a conjunction of monotonicity and 
equality constraints for the arguments of that predicate. A disjunctive constraint 
for a predicate is a disjunction of conjunctive constraints for that predicate. 

We will represent a conjunction of constraints as a pair of the form (name, list), 
where name is the predicate name and list is the list of constraints in the con- 
junction. 

For a predicate p, there is a finite number of monotonicity and equality 
constraints that may hold among its arguments. The inference process may be 
viewed as an abstract interpretation with a finite domain, and therefore, is guar- 
anteed to terminate. A single inference step consists of substituting already in- 
ferred constraints for the subgoals of a clause r, and inferring the constraints 
for the head. Note that the body of the clause may be empty — we call a clause 
with empty body a fact and a clause with non-empty body a rule. In what fol- 
lows we’ll use rule in the cases we want to stress that the body of a clause is 
non-empty. 

In 1121 . a single inference step is done by means of the weighted rule graph. 
Alternatively, a constraint solver can be used for that |^. Note that we infer a 
conjunctive constraint for the head, although one may get more exact descrip- 
tions by using disjunctive constraints. Thus, for the clause append{\\,Y,Y), we 
will only infer eq(2, 3), and not the more exact disjunctive constraint 



eg(l, 2) A eq{2, 3) V eq{2, 3) A 1{1, 2) 



The crucial point is to use some sound method to infer, from conjunctive con- 
straints for the body subgoals, a conjunctive constraint for the head. 

Given a predicate p, there may be several possibilities for choosing a clause 
with this predicate in its head and for substituting constraints for its body sub- 
goals. Hence applying single inference steps for a predicate p may lead to different 
constraints for p, say Cl and C2. A usual approach is to find a constraint C, 
such that C1VC2 \= C. For example, when Cl and C2 are conjunctions of linear 
constraints, C could be the convex hull of Cl and C2. We use a different ap- 
proach and simply keep both Cl and C2 (i.e., we infer the disjunction Cl V C2). 
In other words, a single inference step infers a conjunction, but several such steps 
can infer a disjunction of conjunctions. The inference of disjunctions terminates, 
since the underlying abstract domain (describing monotonicity and equality con- 
straints) is finite. The result is a disjunction of conjunctions of constraints for 
each predicate. 

The inference process starts with an empty disjunction for each predicate 
and is done bottom-up. For each clause r, we choose for each subgoal S one 
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conjunction from the current disjunction for the predicate of S (if the disjunction 
is empty, then clause r cannot be used in the current bottom-up step) . For each 
choice, we infer a conjunction of constraints for the head predicate of r. Note that 
all possible choices are considered, thus giving different conjunctions for the head 
predicate of r. In each single inference step we combine the monotonicity and 
equality constraints substituted for the subgoals with exact norm computations 
for the terms that appear in clause r, and hence, the inferred constraints are 
more precise than those that would be inferred if only monotonicity and equality 
constraints were taken into account (as in 0|). Also note that the inference may 
yield inconsistency, meaning that nothing is inferred for the head, so nothing is 
added to the disjunction of the predicate of the head. For the details see Emu. 

Example 2. Consider the following clauses for split . 

split([UM]). 

split([X|Xs], [X|Ys],Zs) split(Xs, Zs, Ys). 

From the first clause above, we get the following conjunction. 

{split, [eq{l, 2),eq{l, 3), eq(2, 3)]) 

Note that in this case there are no body subgoals, so the choice of constraints 
for them is performed vacuously. 

When we substitute this conjunction in the body of the second clause, it 
means that the following equalities are assumed to hold among the norms of 
arguments. 

||As|| = |!ys|| = ||Zs|| 

According to the definition of the term-size norm, the following equalities also 
hold. 



||[X|As]||=2+||X|| + ||Xs|| 

||[x|ys]|| = 2 + ||x|i + ||rs|| 

From all of the above equalities, we can infer the following. 

||[A|Xs]|| = ||[A|ys]|| 

|![A|Xs]||>||ys|| 

||[A|ys]||>||Zs|| 

Hence, the following conjunction is inferred for the head. 

{split, [eq{l, 2), I {3,1), I {3, 2)]) 

When the above conjunction is substituted in the body of the second clause, we 
infer the following conjunction. 



{split, [1{2,1),1{3,1)]) 
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No new conjunctions can be inferred after that. Thus, the constraint inferred for 
split is the disjunction Cl V C2 V C3, where: 



Cl = {split, [eq{l, 2),eq{l, 3),eq{2, 3)]) 

C2 = {split, [eq{l,2),l{3,l),l{3,2)]) 

C3 = {split, [;(2,1),Z(3,1)]) 

Note that an inference process working with a single conjunction of pair- 
wise constraints (by replacing a disjunction with a convex hull) would infer the 
following conjunction for split 

(74 = {split, [le{2, 1), Ze(3, 1)]) 
where le means “less than or equal to.” 

The constraint inference outlined above is, in the worst case, exponential in 
the maximal arity of any predicate and the maximal number of subgoals in any 
clause. Experimental results of using this inference process in practice are given 
in [r 3J . 

The conjunction (74 is not sufficient for showing termination of mergesort. 
Specifically, in the clause 

mergesort([X, Y|Xs], Ys) split([X, Y|Xs], Xls, X2s), 

mergesort(Xls, Yls), 
mergesort(X2s, Y2s), 
merge(Yls, Y2s, Ys). 



it is impossible to show, given the constraint (74 for split, that in both subgoals 
of mergesort, the first argument is smaller than the one in the head. Therefore, 
papers dealing with termination of mergesort were forced to use some special 
transformation of mergesort. Our approach is to show that neither (71 nor 
(72 can hold among the arguments of split in the above clause, and to use (73 
(which is stronger than (74) for showing termination. This approach is completely 
automatic and is explained in the following sections. 

This is the place to point out that we use the constraint inference for a 
further purpose. The constraint inference is done by a semi-naive bottom-up 
inference. We mark for each conjunction of constraints whether it is derived in 
(at least) two different iterations of the semi-naive bottom-up inference. This is 
easily implemented, since in each iteration of a semi-naive bottom-up inference, 
we have to determine, in any case, which constraints were obtained for the first 
time. We say that a conjunction of constraints is pseudo-recursive if it is derived 
in more than one iteration of a semi-naive bottom-up inference. In what follows, 
we will say that a predicate is a candidate for adornment if it has (at least) two 
conjunctions of constraints, such that one is pseudo-recursive and one is not. If 
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termination cannot be shown, then we will choose some candidate predicate (as 
will be explained later) and apply to it the transformations of adornment and 
unfolding described in the following two sections. 

3 Creating Adorned Clauses 

We will first illustrate how the clauses for split are transformed into clauses 
that are adorned by the inferred conjunctions Cl, C2 and C3, and then we will 
describe the method in general. Adorned clauses in the context of the magic-set 
transformation are discussed in m. and constructing adorned clauses based on 
inferred constraints is described in m- 

Transforming the clauses for split into adorned clauses is done as follows. 
First, the adorned predicates are split*^^, split'^^ and split°®. Second, in each 
one of the original clauses for split, we substitute one of the adorned predi- 
cates for each occurrence of split in the body. In general, there is more than 
one combination of substituting adorned predicates, and consequently, several 
different clauses may be created from each original clause. After substituting 
in the body, we infer the adornment of the head as follows. For each adorned 
subgoal in the body, we substitute the conjunction of constraints specified by 
its adornment (e.g.. Cl is substituted for split'^^). The adornment for the head 
is computed from the constraints substituted in the body, as was done in the 
bottom-up inference of constraints (i.e., using a weighted rule graph or a con- 
straint solver). Note that the adornment for the head must be one of the inferred 
conjunctions for split, since the inference of the head adornment is the same as 
in a single step of the bottom-up inference of constraints. Special consideration 
should be given to the case in which the conjunctions of constraints substituted 
in the body yield inconsistency. In this case, the adorned clause is eliminated, 
because it describes a situation that cannot happen (for example, we will never 
be able to prove a goal in which the norm of the first argument is both smaller 
and bigger than the norm of the second argument). 

Example 3. Consider the original clauses for split. 

split([UU])- 

split([X|Xs], [X|Ys],Zs) split(Xs, Zs, Ys). 

In the first clause, no substitutions are done in the body, since it is empty. The 
adornment inferred for the head is Cl. Thus, only one adorned clause is obtained: 

In the second original clause for split, either split'^^, split°^ or split°® can 
be substituted for the occurrence of split in the body. The resulting clauses are 
as follows. 

split°^([X|Xs], [X|Ys],Zs) split‘^^(Xs, Zs, Ys). 

split'^^([X|Xs], [X|Ys],Zs) split‘^^(Xs, Zs, Ys). 

split“([X|Xs], [X|Ys],Zs) split‘^®(Xs, Zs, Ys). 
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In general, adorning a predicate s is done as follows. If the inferred constraint 
for s is a single conjunction C, then all occurrences of s are adorned with C, 
and the adorned predicate is denoted as . Now, suppose that predicate s has 
the disjunctive constraint 

Cl V ... V Cn 

where n > 2. The adorned versions of s are 



The idea is that after replacing s with its adorned versions, the inferred constraint 
for each is the single conjunction Ci. The adornment process is done as 
follows. For each clause H ^ B\, ... ,Bk oi the program that has an occurrence 
of s either in the head or in the body, we consider all combinations of 

— replacing each occurrence of s in the body with one of . . . , s^", and 

— assigning to each subgoal in the body one of the conjunctions of the dis- 
junctive constraint inferred for the predicate of that subgoal (the disjunctive 
constraint may consist of a single conjunction). Note that for each the 
assigned constraint is Ci. 

Next, we infer the constraint for the head of the clause H ^ Bi, . . . , Bk- Note 
that this inference step is identical to some single step of the bottom-up inference, 
since the constraints assigned to the subgoals in the body are just conjunctions 
that were inferred for the predicates of those subgoals. If the inference yields 
inconsistency, then the adorned clause is discarded. If the predicate of the head 
is s and the constraint C is inferred for the head, then C becomes the adornment 
of the head. The following remarks should be noted. First, C must be one of 
Cl, ... , Cn, since the inference of C is just a repetition of a single step of the 
bottom-up inference. Second, applying constraint inference to the new program 
will yield for each the constraint Ci. Third, in the case of a clause for s that 
has an empty body, we only need to infer the adornment of the head. Fourth, the 
adornment process we have described can be used to adorn predicate s without 
adorning (some or all) the predicates on which s depends. 

Discarding clauses (in process of adorning a predicate) may transform a non- 
terminating program into a terminating one, as shown by the next example. 

Example 4- Consider the following clauses. 

p(X,Y) le(X,Y). 
le(X,X). 

le(X,s(Y)) le(X,Y). 
le(s(X),s(Y)) le(X,Y). 
le(s(X),X) le(s(X),X). 

Two conjunctions of constraints are inferred for le, namely (le, [e<7(l,2)]) and 
{le,[l{l,2)]). We transform le into two adorned predicates, denoted 
and let^C. 2 )]^ obtain the following adorned clauses. 




214 



N. Lindenstrauss et al. 



p(X, Y) Y). 

p(X,Y) 

let®'i(^’^)](X,X). 

le[i(i.2)](x, s(Y)) le[®'i(^’2)l(X, Y). 

leH(i’2)](x^s(Y)) :- y). 

le[®'i(i’2)]('s(x), s(Y)) :- Y). 

leW^’2)l(s(X),s(Y)) :- leW^’2)](X, Y). 

Note that the two adorned versions of the last clause of the original pro- 
gram were discarded, because the constraint among the argument sizes in that 
clause (i.e., the term size of s(X) is greater than the term size of X) and the 
constraints substituted for the adorned predicates are inconsistent. As a result 
of the elimination of that clause, queries having the pattern p(b, b) terminate 
with respect to the transformed program, although queries of the pattern p(&, b) 
may be non-terminating with respect to the original program. 

It should be noted that the transformation of creating adorned clauses pre- 
serves the computed answer substitutions (c.a.s) of the program; however, it may 
prune infinite branches in the LD-tree. Therefore, we can view it as a transfor- 
mation for improving the behavior of a program with respect to termination. 
As illustrated in Example 0 the transformation is capable of converting a non- 
terminating program into a terminating one. 

4 Nonrecursive Unfolding 

The predicate dependency graph for a program is defined (cf. [1 5j ) as a graph 
that has a node for each predicate and an edge from p to y if there is a rule 
with predicate p in the head and predicate q in the body. A predicate p is 
recursive if there is a cycle in the predicate dependency graph that goes through 
p. A predicate p is nonrecursive if there is no such cycle, and p is strongly 
nonrecursive if it is nonrecursive and does not depend, directly or indirectly, on 
any recursive predicate. A rule is (strongly) nonrecursive if all predicates in its 
body are (strongly) nonrecursive. 

Rules for strongly nonrecursive predicates can be completely unfolded into 
facts. The adorned clauses in Example 0 involve three predicates, split°^, 
split'^^ and split'^®, the first two being strongly nonrecursive and the third 
one — recursive. Thus, both split'^^ and split*^^ can be unfolded. A complete 
unfolding of the rule for split'^^ yields the following fact. 

spiit=2([x],[x],D). 

Similarly, a strongly nonrecursive rule, such as the following rule 
split“([X|Xs], [X|Ys],Zs) split'^^(Xs, Zs, Ys). 
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can also be replaced with facts. For example, the above rule can be replaced 
with the following fact. 



split="([X,Y],[X],[Y]). 

Thus, the four adorned clauses for split from Example Scan be replaced with 
the following clauses. 

split=^([UUD- 

spiit=2([x],[x],D). 

split“([X,Y],[X],[Y]). 

split“([X|Xs], [X|Ys],Zs) split°®(Xs, Zs, Ys). 

After having used unfolding for the adorned clauses for split, we now consider 
the rule for mergesort that involves split. 

mergesort([X, Y|Xs], Ys) split([X, Y|Xs], Xls, X2s), 

mergesort(Xls, Yls), 
mergesort(X2s, Y2s), 
merge(Yls, Y2s, Ys). 



According to our method, this rule should be replaced with three rules, where 
each one of those rules is obtained by replacing split with either split°^, 
split'^^ or split°®. In the new rules, the strongly nonrecursive predicates, 
split'^^ and split°^, can be completely unfolded. When doing so, [X, Y|Xs] can- 
not be unified with either [] or [X], and so, two of the new rules disappear and 
only the following one remains. 

mergesort([X, Y|Xs], Ys) split“([X, Y|Xs], Xls, X2s), 

mergesort(Xls, Yls), 
mergesort(X2s, Y2s), 
merge(Yls, Y2s, Ys). 

In general, there are two stages of unfolding — first in the clauses for the 
adorned predicate, and then in the other clauses. 

What we did here can be generalized to predicates that are not strongly 
nonrecursive, but just nonrecursive. Given the predicate dependency graph, it 
can be partitioned into strongly connected components (SCC), which can be 
sorted topologically. The predicates of each SCC depend only on predicates of 
lower SCCs. Each subgoal of a nonrecursive adorned predicate (that appears 
in the right-hand side of an adorned rule) can be unfolded into subgoals of 
predicates in lower SCCs. 
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5 Reasoning Abont Termination 

Thus far, we have described the two transformations of adorning a predicate and 
performing nonrecursive unfolding of an adorned predicate, and applied them 
to the mergesort program. Both transformations preserve the computed answer 
substitutions. However, as the example at the end of SectionQ and Example 1 in 
0 show, these transformations may, in general, turn a non-terminating goal into 
a terminating one. The theorems in this section show that under conditions that 
are satisfied by the mergesort program this will not happen, so the transformed 
program will have the same termination behavior as the original program. 

The first transformation is adorning a predicate s. For simplicity, we assume 
that s is not mutually recursive with any other predicate (otherwise, we have 
to create simultaneously adorned versions for all predicates that are mutually 
recursive with s). The steps of the transformation are as follows. 

— Infer constraints for predicate s and for the predicates on which s depends. 

Note that for predicates that are already adorned, the inferred constraints 

are identical to the adornments. 

— Adorn predicate s, as described in SectionQ. 

In general, the above transformation preserves the c.a.s. semantics of the pro- 
gram (that is, it preserves the computed answer substitutions of all derivations), 
but it may improve the termination of the program. The following theorem 
shows that under certain conditions, the above transformation also preserves 
termination behavior. We need the following definitions. 

Definition 3. () Given a program P and a query pattern k, we define calls^K) 
as a set of call patterns that satisfies the following condition. For all queries Q 
with the pattern k and for all nodes v in the LD-tree of Q with respect to P, the 
first subgoal in v must be an instance of some a € calls{n). 

Note that calls{K) is not uniquely defined. Ideally, we would like calls{K) to be 
the set of all call patterns generated by k, but in practice, calls^K) is computed 
by some abstract interpretation that may only provide an approximation. In the 
case of mergesort., one may have 

calls{mergesort{b, f)) = 

{b=<b, b > b, mergesort{b, f), merge{b,b, f), split{b, f, f)} 

Definition 4. () Let P be a program, s a predicate in P, and k a query pattern 
for a predicate that depends on s. We say that predicate s is terminating with 
respect to k and P if all query patterns of s in calls{n) are terminating with 
respect to P. 

Note that s can be terminating with respect to k even if k is not terminating. 
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Theorem 1. Let P he a program, s a predicate in P and k a query pattern, 
whose predicate belongs to a higher level of the predicate dependency graph of P 
than s. Suppose that s is terminating with respect to k and P. Let P“ be obtained 
from P by creating adorned rules for predicate s as described above. Let Q be a 
query with pattern n. The LD-tree of Q with respect to P is finite if and only if 
the LD-tree of Q with respect to is finite. 

Proof. Note that each clause r“ of P“ has a corresponding clause r of P that 
is obtained from by deleting the adornments of those predicates that are not 
adorned in P. Consider a query Q with the pattern k, and suppose that the LD- 
tree of Q with respect to P“ has an infinite branch. By deleting the adornments 
of s from that infinite branch, we get an infinite branch of the LD-tree of Q with 
respect to P. 

To prove the other direction, suppose that there is an infinite branch of the 
LD-tree of Q with respect to P. Since we assumed that predicate s is terminating 
with respect to k and P, refutations of subgoals of s, along that infinite branch, 
are finite. We will show how to replace each partial branch of the form 

^ s{- ■ ■■),■■■ ,gk{- ■ ■) 



^ 9i{- ■■),■■■ ,9k{- ■ ■) 

(which corresponds to a refutation of <— s(. . .) with respect to P) with a partial 
branch of P“ having the same c.a.s. 

Going bottom up along the above partial branch, we will tag predicates in a 
process that is similar to creating adorned clauses. Suppose that the node 

has the child 

^Pi,...,P„,C0,... 

that was obtained by using a clause instance H9 ^ Pi, . . . , P„ of the clause 
H' ^ P( , . . . , P(j (note that n = 0 is possible) . Inductively, we assume that 
Bi,. . . ,Bn were already tagged. The tag of each Bi is essentially a conjunctive 
constraint, and we assign those constraints to Pj, . . . , P(,, respectively. The tag 
for the head H' is just the conjunction of constraints inferred for H'. The tag 
generated for H' is given to the occurrence of H in the node 

as well as to occurrences of H in ancestors of that node. Note that essentially we 
have here a bottom-up inference of constraints that starts with instantiated facts 
of the program. We use the original clause H' ^ B[, ... , P(,, rather than the 
instance HO <— Pi, ... , P„, in order to guarantee that the inferred constraints 
are the same as in the original program (if the clause instance had been used, it 
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might have been possible to infer tighter constraints that do not coincide with 
the adornments of P“). 

The predicates involved in this inference are just s and predicates on which 
s depends. Some of those predicates may already be adorned in P, and in this 
case, the tags coincide with the existing adornments. It may also be the case that 
a predicate is tagged although it is not adorned in In this case, we simply 
delete the tags of that predicate at the end of the process. For occurrences of 
predicate s, the tags become the adornments for s. Thus, we have shown how 
to transform the infinite branch of the LD-tree of Q with respect to P into an 
infinite branch of the LD-tree of Q with respect to P°‘. □ 

If in Theorem ^ we do not make the assumption that s is terminating with 
respect to k and P, then only one direction of the theorem holds; that is, if 
the LD-tree of Q with respect to P is finite then so is the LD-tree of Q with 
respect to The converse is not necessarily true, as was shown in Example 0 
However, both LD-trees still generate the same c.a.s. 

The second transformation is unfolding of adorned versions of s. We apply 
this transformation in two stages. First, we unfold adorned versions of s in 
bodies of rules for adorned versions of s. Second, we unfold adorned versions of 
s in bodies of rules for predicates other than adorned versions of s. In general 
unfolding may improve termination, as shown by the next theorem 

Theorem 2. Let P be a program and n a query pattern. Let P' he the program 
obtained from P by unfolding. Let Q he a query with pattern k. Lf the LD-tree of 
Q with respect to P is finite, so is the LD-tree of Q with respect to P' . Moreover, 
Q has the same computed answer substitutions with respect to both programs. 

Our goal is not just to show that Q terminates with respect to the trans- 
formed program, but also that it terminates with respect to the original program. 
The following two theorems state conditions for preserving termination behavior 
under the unfolding transformation. The first theorem deals with unfolding of 
adorned versions of s in rules for adorned versions of s, and the second theorem 
deals with a similar unfolding in rules for predicates other than adorned versions 
of s. 

Theorem 3. Consider a program P and a query pattern k, and let s be a pred- 
icate of P. Let P“ and be defined as follows. 

— Program is obtained from P by the transformation of adorning predicate 
s. 

— Program is obtained from P“ by unfolding adorned versions of s in bodies 
of rules of P°" , where the heads of those rules are also adorned versions of s. 

Lf s is terminating with respect to P and k, and Q is a query with pattern k, 
then the following holds. The LD-tree of P“ with respect to Q is finite if and 
only if the LD-tree of P““ with respect to Q is finite. 
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Proof. One direction follows from Theorem Q For the other direction, suppose 
that the LD-tree of P“ with respect to Q has an infinite branch. Since s is 
terminating with respect to P and k, refutations of subgoals of s along the 
infinite branch are finite. We can replace each refutation of a subgoals of s with 
a refutation that uses clauses of and the result is an infinite branch of the 
LD-tree of P““ with respect to Q. □ 

The above theorem states that any adorned version of s can be unfolded in 
rules for s while preserving the termination behavior of k. In practice, however, 
we would unfold just the nonrecursive adorned versions of s. 

Theorem 4. Consider a program P and a query pattern k, and let s be a pred- 
icate of P. Let P°", and he defined as follows. 

— Program P“ and P““ are obtained as defined in Theorem 0 

— Suppose that the adorned versions of predicate s are partitioned into two 

nonempty subsets Ai and A 2 . Program is obtained from P““ by un- 

folding adorned versions of Ai in bodies of rules of P““ for predicates other 
than s. 

If s is terminating with respect to P and k, then the following holds. The LD-tree 
of P°' with respect to a query Q with pattern k is finite if and only if the LD-tree 
of with respect to Q is finite. 

Proof. By Theorems Qand Qit is enough to prove that it cannot happen that 
the LD-tree for P““ and Q is infinite, while the LD-tree for and Q is not. 
The main difference between P““ and is that in the transition from the 

first to the second some rules of the form 

H : - ...,s, 

got eliminated after unfolding because they could only create failing derivations. 
If such a transformation changes Q from non-terminating to terminating this 
must be caused by the subgoals preceding Si in the rule. However since P““ 
contains all the rules 

H ...,si(...),... 

H ...,S2(...),... 

H ...,Sfc(...),... 

and there is at least one st for which we do not perform unfolding, some copies 
of the subgoals that cause non-termination remain in □ 

The above theorem assumes that the adorned versions of predicate s are 
partitioned into two nonempty subsets A\ and H 2 , and only adorned versions 
of Ai are unfolded. In practice, Ai would be a set of nonrecursive adorned 
versions of s, and those adorned versions would be completely unfolded if they 
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are strongly nonrecursive, or just unfolded into predicates from lower SCCs if 
they are merely nonrecursive. 

Now, consider again the mergesort program. First, TermiLog can show that 
predicate split is terminating with respect to the original mergesort program 
and a query of the pattern mergesort(b^ /). Thus, the transformation of creating 
adorned rules for split (which is described in SectionEI) is termination-behavior 
preserving by Theorem Q Secondly, the unfolding applied to the adorned rules 
of split (which is described in Section is termination-behavior preserving 
by Theorem El Thirdly, the unfolding of the adorned subgoals of split in the 
rules for mergesort (which is described in Section is termination-behavior 
preserving by Theorem ^ (in this particular case, it follows that the unfolding 
is termination-behavior preserving also because the unfolded subgoal is always 
the leftmost subgoal). 

The new program for mergesort, after all the transformations described thus 
far, is the following one. 

mergesort([], []). 
mergesort([X], [X]). 

mergesort([X, Y|Xs], Ys) split°®([X, Y|Xs], Xls, X2s), 

mergesort(Xls, Yls), 
mergesort(X2s, Y2s), 
merge(Yls, Y2s, Ys). 

split=^([UUD- 

spiit=^([x],[x],D). 

split"^([X,Y],[X],[Y]). 

split'^^OxIXs], [X|Ys],Zs) split°®(Xs, Zs, Ys). 
merge([], Xs, Xs). 
merge(Xs, [], Xs). 

merge([X|Xs], [Y|Ys], [X|Zs]) X =< Y,merge(Xs, [Y|Ys],Zs). 
merge([X|Xs], [Y|Ys], [Y|Zs]) X > Y, merge([X|Xs], Ys, Zs). 

Termination of the new program for mergesort can be easily shown by the 
TermiLog system PiU]. Since the transformations are all termination-behavior 
preserving, it follows that the original mergesort program also terminates. 



6 The General Method 

In this section, we describe a heuristic for deciding which predicates should 
be adorned in order to prove termination. In principle, it is possible to find 
all predicates to which our transformation can be applied, but it may not be 
practical to do so. Suppose that k is a query pattern for a program P, and 
termination of k cannot be shown, say with TermiLog. The purpose of the 
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following steps is to find a predicate s, and apply to s the transformations of 
creating adorned clauses and unfolding nonrecursive adorned versions of s, in 
order to show termination. 

1. Perform constraint inference for P. 

2. Compute calls{n) (see m for details). 

3. Find a tr in calls^K), such that termination of a cannot be shown, but all 
calls of a to predicates from lower SCCs can be shown to terminate, and a 
depends on a predicate from a lower SCC, say s, for which some but not all 
the constraints are pseudo-recursive. If there is no such a, then stop. 

4. Create adorned clauses for s and compute (see Theorem Note that 
the unfolding is done with respect to those adornments of s that are not 
pseudo-recursive, since those adornments yield nonrecursive adorned versions 
of s. A complete unfolding is performed for strongly nonrecursive predicates, 
while nonrecursive predicates are unfolded into predicates from lower SCCs. 

If, after performing the above transformations for s, termination of a cannot 
be shown, then the method is not powerful enough to show termination. If ter- 
mination of cr can be shown, but termination of k still cannot be shown, then 
we repeat the process for k and Since each choice of s reduces the number 

of candidate predicates by 1, the steps cannot be repeated forever. 

In the program for mergesort, there was exactly one candidate predicate, 
namely split. As another example, consider the following program for finding 
the greatest common divisor, where the query is of the pattern gcd{b, b, /). 

Example 5. 

less(0, s(X)). 

less(s(X), s(Y)) less(X,Y). 
less(X, s(Y)) less(X,Y). 
add(0,L,L). 

add(s(X),Y, s(Z)) add(X,Y, Z). 

mod(s(X), s(X), 0). 

mod(X, s(Y),X) less(X, s(Y)). 

mod(X,s(Y),M) less(s(Y), X), add(s(Y), Yl, X), mod(Yl, s(Y), M). 
gcd(s(X),0,s(X)). 

gcd(X, s(Y), M) mod(X, s(Y), Ml), gcd(s(Y), Ml, M). 

In this example, there are 4 recursive predicates, and it turns out that all, ex- 
cept less, are candidate predicates. Each predicate of the above program is in 
a strongly connected component by itself. The predicates less and add are in 
the lowest layer, followed by mod and then by god. The TermiLog system can 
show termination of less and add, but fails to show termination of mod. Our 
heuristic is to choose a candidate predicate s, such that s appears as a subgoal 
in some rule of mod and s is from a lower SCC than mod, and to replace s with 



222 



N. Lindenstrauss et al. 



its adorned versions. In our example, add is the only candidate predicate that 
appears as a subgoal in some rule for mod, and hence, add is a candidate for ap- 
plying the transformation into adorned clauses. The following two conjunctions 
of constraints are inferred for add. 

Al = (add, [eq(2, 3)]) 

A2 = (add, [/(2,3)]) 

Thus, we transform add into the adorned predicates add*^ and add^^, where the 
first one is strongly nonrecursive. After creating adorned clauses and unfolding 
strongly nonrecursive predicates, we get the following program. 

less(0, s(X)). 

less(s(X), s(Y)) less(X,Y). 

less(X, s(Y)) less(X,Y). 

add^^(0,L,L). 

add"2(s(0),Y,s(Y)). 

add^^(s(X), Y, s(Z)) add^^(X, Y, Z). 

mod(s(X), s(X), 0). 

mod(X, s(Y),X) less(X, s(Y)). 

mod(X, s(Y),M) less(s(Y), X), add^^(s(Y), Yl, X), mod(Yl, s(Y), M). 
gcd(s(X),0,s(X)). 

gcd(X, s(Y),M) mod(X, s(Y), Ml), gcd(s(Y), Ml, M). 

Now TermiLog can show termination. The theorems of the previous section imply 
that there also is termination for the original program. 

In the following example the transformation has to be performed several 
times. 

Example 6. 



a(L,L). 

a(L,[H|K]) a(L,K). 

level.O([],0). 

level_0([X,X|L], [X|M]) a(U,L), 

level_0(U,M). 

level.l([],0). 

level_l([X|L], Y) level_0([X|L], Z), 
level_l(Z, Y). 

levelJ2([],0). 

levelJ2([X|L], Y) level_l([X|L], Z), 
levelJ2(Z, Y). 
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In this case all the predicates are recursive. The predicate a is in the low- 
est see of the predicate dependency graph and is followed by the See’s of 
level -OJeveLl, levelJ2 in this order. The constraints are 

{levels), [eg(l, 2)], nonrec) 

{levels, [l{2, 1)], rec) 

{levelA, [eg(l, 2)], rec) 

{level A, [l{2, 1], rec) 

{levels, [eg(l, 2)], rec) 

{levels, [l{2, 1)], rec) 

and TermiLog can prove termination of levelS{b, f) but not of level A{b, f) and 
levelS{b, f). So the candidate for adorning and unfolding is levels. After the 
transformations we get the program 

a(L,L). 

a(L,[H|K]) a(L,K). 

level_0[i(2.i)]([x^X|L],[X]) a([],L). 

level_0[^(^’^)l([X,X|L], [X|M]) a(U,L), 

level_0[^(^’^)'(U,M). 

level_l([],0). 

level_l([X|L],Y) level_o[^(^’^)l([X|L], Z), 
level_l(Z, Y). 

levelJ2([],0). 

levelJ2([X|L], Y) level_l([X|L], Z), 
levelJ2(Z, Y). 

Now TermiLog can prove the termination of levelA{b, f) but not of levelS{b, f), 
and level A has the non-pseudo-recursive constraint [eq{l,2)] and the pseudo- 
recursive constraint [1(2,1)]- So we do the adorning and unfolding for level A, 
getting the program 

a(L,L). 

a(L,[H|K]) a(L,K). 

level_o[i(2,i)]([x^X|L],[X]):-a(0,L). 
level_0[^(2'^)l([X,X|L], [X|M]) a(U,L), 

level_0[^(^’^)l(U,M). 
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level_l[^(^’^)l([X|L], 0) level_ol^^^’^^l([X|L], []). 

level_l[^(^’^)l([X|L],Y) :- level_o[^(^^^)l([X|L], Z), 

levelJ2( [],[]). 

levelJ2([X|L],Y) level_ll^(^’^)l([X|L], Z), 
levelJ2(Z, Y). 

Now TermiLog can prove termination of levelJ2{b, f) and from the theorems in 
Section 5 it follows that it also terminates for the original program (Example 0 ■ 
The definitions of levelA and levelJZ in Example 0are symmetric. If we added 
similarly defined functions up to leveljn, TermiLog could prove the termination 
of level jn(b, f) after n transformations. 

7 Conclusion 

We have presented a transformation that preserves the c.a.s. semantics of logic 
programs and improves their termination behavior (i.e., infinite branches in the 
LD-tree may be pruned). We have also provided conditions for preserving ter- 
mination behavior under that transformation. The transformation is automated 
and implemented in SICStus Prolog (cf. E), and is useful in the context of 
a system for automatic termination analysis, such as TermiLog. The basic idea 
is, in cases in which we cannot prove termination but there is a predicate with 
pseudo-recursive and non-pseudo-recursive constraints, to adorn this predicate. 
Separating the predicate into different adorned predicates may result in a pro- 
gram for which termination can be shown automatically. The success of this 
transformation underscores the importance of inferring disjunctions of conjunc- 
tions of constraints, rather than just a single conjunction (which is the common 
approach) . 

We are grateful to the referees for their careful reading and helpful comments. 
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Abstract. We give a proof-theoretic analysis of logic programs trans- 
formations, viewed as operations on proof trees in the sense of idi4mio|. 
We present a logic for reasoning about (equivalence preserving) transfor- 
mations of logic programs. Our main tool is the usage of inference rules; 
the target program may be obtained as a set of clause introduction proofs 
with axioms from the source program. The rules are admissible, that is 
every proof according to the latter can be translated back in a deriva- 
tion of the same consequence built from the source program without those 
rules. In this formal setting, we give a general schema for program trans- 
formation analysis, which can be applied to any transformation system 
based on admissible rules. As examples, we treat Partial Deduction and 
Unfold/Fold transformations. Furthermore, the proof-theoretic frame- 
work allows a uniform generalization of the basic results to other logic 
programming languages satisfying the simple requirement of regularity. 
Our perspective and overall aim is to develop the proof-theory of (logic) 
program transformation. 



1 Introduction 



We give a proof-theoretic analysis of logic programs transformations, viewed as 
operations on proof trees in the sense of j3l4l9l1 flj We present a logic for rea- 
soning about (equivalence preserving) transformations of logic programs. Our 
framework is natural deduction a la Prawitz H2|, although a totally analogous 
presentation can be given in terms of sequent calculi with definitional reflection 
0. We are not going to fully detail in this paper the systems we are using, 
though we have shown elsewhere p] (and it is beginning to be common knowl- 
edge, see p^) that, w.r.t. the language of definite clauses, the interpretation of 
’ and as implication and conjunction yields a fragment of positive intu- 
itionistic, (i.e. minimal) logic. Our basic system, let us call it Lq, contains only 
the assumption rule and a rule for applying clauses (ca), similar to the rule of 
modus ponens. 
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We shall follow this path: 

1. We achieve the transformation via the usage of inference rules; thus, the 
target program may be obtained as a set Q of clause introduction proofs 
with axioms from the source program V of the form: 

^ ~ Cl ■ ■ ■ ’ 

2. We show the rules to be (weakly) admissible, that is every proof U with 
consequence A which uses those rules can be translated in a proof t(7T) of 
the same proposition without them in the basic system with axioms from V. 
As the proofs in Lq correspond to 5L-D-derivations, this means that every 
derivation from Q is translated into a 5LD-derivation of 7^ U A}. 

3. We will look for some adequacy results. Namely, verifying that the success 
set is preserved requires certain completeness conditions on ili, . . . , for 
finite failure we need furthermore the strict monotonicity of the translation 
function. 

We pursue two applications: Partial Deduction and Unfold/Fold transforma- 
tions. Our perspective and future aim is the introduction of a general calculus 
tailored to the proof-theory of the transformation of (logic) programs. 

The paper is organized as follows: in Section El we review the basic notions 
of our framework and we relate it to 5LD-resolution w.r.t. success and 

failure. SectionO presents the general transformation schema. The next Section 
0) depicts the proof-theoretical reconstruction of Partial Deduction. Section El 
targets Unfold/Fold transformations. Finally, a brief Conclusion winds up the 
paper. 

2 Background on Proof Trees 

First we recall some basic definitions: we assume some familiarity with standard 
notions of natural deduction |l2| and logic programming [I]. 

We use a variant of the Axiom Application Rules introduced in P] . We con- 
sider the Clause Application Rule ca, for applying axioms of the form B <— 
Ai, . . . , An- Using the formalism of natural deduction, ca can be expressed as 
follows: 

Ai9 ■ ■ ■ An 6 B < — Ai , . . . , An 

ca 

BO 

where the applied clause is the major premise, Ai9, . . . , is the (possibly 
empty, for n = 0) sequence of minor premises and B9 is the consequence. Next, 
we inductively introduce the notion of proof tree (pt). 

Definition 1 ((Proof Tree)). An atom A is a (trivial) proof tree. If 7Ti :: 
Ai9,.., Iln ■■ An9 0 are proof trees andC is a clause of the form B ^ Ai, . . . ,A„, 
then the following is also a proof tree.' 

Where Ft :: A is the linear notation for a proof tree U with root A 



1 
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rii Un 

^ 1 ^ n 

^ca 

BO 

We say that, for non-trivial trees, a formula is an assumption of a proof tree if 
it is a minor premise in some leaf. We write this as 

...H ... 

n 

The clauses of a proof tree are the ones appearing as major premises. The root 
of a proof tree is called its consequence. A proof tree is a proof of B from a 
set V of clauses iff B is its consequence, its clauses belong to V and it has no 
assumption. 

Major premises (i.e. clauses) will be considered modulo variable renaming; 
equality and substitutions on proof trees are instead defined as follows. 

Definition 2 ((Proof Trees Equality)). 7Ti = II 2 if their clauses occurrences 
are equivalent up to renaming, while the other formuhe occurrences are identical. 



Definition 3 ((Proof Trees Substitution)). no is the tree obtained by si- 
multaneously applying a substitution 9 to the root and to all the minor premises. 
The major premises are left untouched. 

The class of proof trees is closed under substitution w.r.t. the rule ca. The 
subsumption ordering on expressions is then lifted to proof trees as follows. 

Definition 4 ((Subsumption Ordering)). 7Ti is less general than 772, writ- 
ten 7Ti < 7 T 2 , if there is a ^^stitution a such that 77i = 7T2cr. We also say that 
7 T 2 subsumes TTi. Moreover, two trees are equivalent when one subsumes the 
other and vice-versa. 

One can easily see that equivalence is equivalence on proof trees up to re- 
naming. 

Now we introduce the notions of similarity and of most general proof tree. 
This will allow us to abstract away from many details of ^TT^-derivations. For 
example, we do not need a switching lemma or the condition of fairness; analo- 
gously we avoid some fastidious standardizing apart. 

In [9] similarity was defined via the concept of axiom/rule-occurrences. For 
the more restricted class of proof trees considered here, we can give a more 
intuitive characterization, by means of the notion of a proof skeleton: 

Definition 5 ((Skeleton)). The Skeleton sk{n) of a proof tree 77 is defined 
recursively as follows: 
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1. Basis: sk{A) = [] 

2. Step: 

^ fill... Un C \ sk{IIi) . . . sk{IIn) C 
sk - caj - g ca 

That is, the skeleton of a tree is obtained by systematically replacing the root 
and minor premises with holes: the (equivalence classes of) major premises are 
unchanged. 

Definition 6 ((Similarity)). Two proof trees TTi, II 2 are said to be similar, 
written ili ~ II 2 , whenever sk(IIi) = sk{Il 2 ). 

One can easily see that ‘ is an equivalence relation. Most general proof 
trees are introduced as follows. 

Definition 7 ((Most General Proof Tree)). II is a most general proof tree 
(mgpt) if it is maximal among similar trees. 

As shown in the system Lq is regular, i.e. for any two similar proof trees 
there is a similar proof tree subsuming them. In regular systems, each similarity 
class contains a mgpt, which is unique up to renaming. Regularity is a property 
also of similarity classes of continuations of U, i.e. similarity classes containing 
only continuations of II, where the latter are thusly defined: 

Definition 8 ((Continuation)). Let B ^ A\, . . . ,An be a clause C and let 

... H ... 

n 

be a proof tree with an assumption H such that B9 = HO, for some substitution 
0. The one-step continuation of H selecting H and applying C w.r.t. 9 is the 
proof tree: 

Ai9 ■ ■ ■ AnO B < — Ai, . . . , An 

. . . H9... 

no 

7T2 is a continuation of Hi, written Hi A H 2 , if H 2 can be obtained from Hi by 
a sequence of one-step continuations. 

Note that substitutions in continuation steps do not need to be most general 
unifiers. One can easily see that: 

Proposition 1. Hi ^ il2 if and only if there is a substitution a such that Hia 
is an initial subtree of 7T2 . 

Definition 9 ((Most General Continuations)). A continuation is most gen- 
eral (mgc) if it is maximal in its similarity class. A continuation is canonical iff 
it is a one-step mgc. 
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Since similarity classes of continuations are regular 0, every mgc of a pt is 
unique up to renaming. One can also see that canonical continuations are the 
one-step continuations that use most general unifiers. 

Definition 10 ((Height)). The height of a proof tree, written h{II), is defined 
here as the length of its minimum branch. 

Definition 11 ((Forests)). A forest is a finite sequence of proof- trees. A one- 
step continuation of a forest selecting H and applying a clause C w.r.t. 9 is 
defined as follows: H is an assumption of a proof tree II of the forest, II is 
substituted by its one-step continuation selecting H and applying C w.r.t. 9, and 
the substitution 9 is applied to the proof trees in the sequence that share variables 
with 77. 

All the properties of continuations of proof trees extend to continuations of 
forests. In particular: 

Theorem 1 ((Forest Continuation)). TTi, . . . , 7T„ A 7T(, . . . , 77(, if and only 
if there is a substitution a such that IlkU is an initial subtree of Il'f., for 1 < k < 
n. 

2.1 Proof Trees and SLD-Resolution 

Proof trees have been designed to give an exact proof-theoretical rendering of 
SLD-iesolution: for example, let us consider the program SUM, built out of the 
following clauses: 



Co: sum{X,0,X)^ 

Cl : sura{X, s(T), s{Z)) <— sum{X, Y, Z) 

An S'AD-derivation for a goal (<— A, 9) can be seen as a stepwise construction 
of a pt 77 :: A9. Below, we show the continuations corresponding to the 577)- 
derivation for <— sum{ssO, sO, A): 

^ sum(ssO, sO, A) 9\ = [X/ ssQ,Y/Q, A/ s{Z)] 

^ sum(ssO, 0, Z) 02 = [Ai/ssO, Z/ssO] 

^ □ 



Notice that the formulae in the current goal correspond to the assumptions of 
the relative pt. 



sum(ss0, sO, A) ^ 



sum(ss0,0, Z) Cl ^ 

sum{ss0, sO, s(Z)) ~ 



Co 

sum{ss0,0, ssO) Ci 
sum{ss0, sO, sssO) 



In this way every 5777-derivation can be translated into a pt and this yields 
the proof-theoretical equivalence between the two systems (see 0)- More for- 
mally: 
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Definition 12. An SIjT)- derivation is incomplete if at any point no literal is 
selected and the derivation is thusly terminated. It is relaxed if mgu ’s are not 
necessarily used. If idempotent mgu’s are used, then it is canonical. 

Definition 13 ((Resultant)). Let V be a definite program, ^ G a goal and 
^ G,^ Gi, . . . ,^ Gm an incomplete relaxed SlAI- derivation for V U G} 
with substitutions 9i, ... ,9m. Let 9 be the restriction of 9\ ■ ■ ■ 9m to the variables 
of G. We say that the derivation has resultant {G9 ^ Gm)- 

In a resultant, Gm may be empty, i.e. we consider complete derivations as a 
limiting case of the incomplete ones. 

Theorem 2. Let V be a definite program and A an atom: 

1. If there is an incomplete relaxed SLD- derivation for A\ with resultant 

(Ad ^ Gm), then there is a proof-tree II :: AS in Lq, using only axioms from 
V, with assumptions Gm- If the SLD- derivation is canonical, then II :: AS 
is a most general continuation of A. 

2. If there is a proof-tree II :: AS in the system Lq with axioms from V and 
assumptions Gm, then there is an incomplete relaxed SLD -derivation ofVU 

A} with resultant {AS ^ Gm)- If II ■■ AS is a most general continuation 
of A, then the SLD- derivation is canonical. 

Proof. We give the proof for Go = A. 

1. Let A = Go, Gi, . . . , Gm (with clauses Gi, . . . , Cm and substitutions 9i,..., 9m) 
be a relaxed incomplete derivation. For 0 < i < m, let Si be the composition of 
the 9i, . . . ,9i and Aj^ , . . . , A^,, be the atoms in the goal Gp, starting with i = 0, 
we associate to Go, . . . , G^ a proof tree Ili :: ASi with assumptions A^j , . . . , A^,^. 
as follows: 

Step 0. Associate A to Go . 

Step i-hl. Let II :: ASi be the proof tree associated to Go , . . . ,Gi at step i 
and let Gj+i be obtained applying Gj+i to the selected atom A^„ (1 < n < hi) 
with unifier 9i+i] build the one-step continuation of Ili r. ASi selecting Aj„ and 
applying G^+i w.r.t. 9i+\. If at each step in Go, . . . , Gn we apply only mgu’s, the 
corresponding one-step continuations are canonical and we obtain a mgpt. 

2. n :: AS can be obtained by at least one sequence A = IIq di III di - - - di Iln = 

n of one step continuations; the corresponding b'Lil-derivation is Go, ... , Gn, 
where Gi are the assumptions of Ili, for 0 < i < n. If 7T :: AS is a most general 
continuation of A, then the continuations must be canonical and therefore the 
derivation Go, . . . , G„ is canonical. □ 

Similarly, b'LI^-derivations starting with goals <— G, where G is a sequence 
of atoms, correspond to stepwise constructions of forests continuing G. 

Finally, there is a natural proof-theoretic characterization of finite failure. 

Definition 14 ((Failed Assumption)). In a proof-tree II, an assumption A 
is failed w.r.t. V iff there is no continuation of II with selected atom A and 
clauses from V. An ended tree w.r.t. V is either a proof or a proof tree with at 
least one failed assumption. 
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Definition 15 ((Failure)). An atom A is failed w.r.t. V if and only if every 
ended tree (w.r.t. V) II :: Act has at least one failed assumption. 

Definition 16 ((Finite Failure)). An atom A is finitely failed w.r.t. V if and 
only if it is failed w.r.t. V and there exists a k sueh that every proof-tree II :: Aa 
with axioms from V has height less or equal to k. 

You can check that this definition of finite failure is equivalent to the usual 
one in terms of SLD-tiees and fairness. The equivalence holds because height is 
defined as the length of the minimum branch. ‘Infinite’ failure is non-finite failure, 
i.e. there is an infinite sequence of continuations A ^ ili ^ ^ Ilk ^ • with 

increasing height. An infinite pt II :: A can be seen as the ‘limit’ of this sequence. 



3 The General Framework 

In our approach, a transformation system for Horn logic, or more in general, 
for regular AAR-systems |S| is characterized by a set of rules, called clause 
introduction rules. In this way, we always deal with two inference systems: the 
basic calculus Lq, containing only the ca rule, and a super-calculus L\, containing 
ca and the clause introduction rules. We will write 



n :: V,rhL, c 

to indicate that the proof tree II with clauses from a program V, assumptions 
r and consequence C applies rules of Li (where j = 0 or * = 1). If 77 is a proof 
(i.e. r is empty) we will write 77 :: P C. 

The calculus Li allows to prove new clauses starting from the ones of a 
program V. It is used to transform a source program V into a derived program: 

The derived clauses can be used as program clauses. 

Definition 17 ((Use of a derived Program)). A proof tree using a derived 
program Q is a proof tree that applies clauses of Q by means of ca in the basic 
calculus. 

Thus any proof tree 77 using Q has a double interpretation. On one hand, 77 
is a proof tree 77 :: V,L C only using rules of 7i and axioms of the source 
program V. On the other hand, if we hide in 77 the proofs of the applied clauses, it 
is apparent that we obtain a proof tree in Lq with clauses Ci <— ;Bi, . . . , Cn <— 
That is, we can consider Q as a (transformed) program. In this case, we write 
77:: Q,L^Lo C. 

This double interpretation allows to study the properties of the derived Q in 
terms of the properties of the system L\ and those of the source program V . In 
this section we will introduce the notions of weak admissibility of introduction 
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rules, strict monotonicity of the translation function w.r.t. the system L\ and 
completeness of Q with respect to success and to infinite trees of V (to be 
defined below). Then we set up a general schema to study the correctness of 
transformation systems, based on the following results: weak admissibility entails 
partial correctness, completeness with respect to success guarantees that the 
success set is preserved and, to preserve the finite failure set, strict monotonicity 
and completeness with respect to infinite trees are needed. 



3.1 Weak Admissibility and Soundness 

Consider a source program V and a derived program Q, as before. 

Definition 18 ((Soundness)). Q is sound with respect to V if, for every proof 
n Q\-Lg A, there is a proof II' '.'■V\^Lo 

Soundness is a property ofEhl derived program Q. It is entailed by the weak 
admissibility of the clause introduction rules of Li. 

Definition 19 ((Weak Admissibility)). The clause introduction rules of Li 
are weakly admissible in Lq if there is a translation t that maps every proof 
n :: V hij A into a proof t (II) :: V A. 

Weak admissibility means that r is a partial function from proof trees of Li to 
proof trees of Lq. It must be defined for all the proofs (without assumptions) with 
atomic consequence. When r is total, we have the usual notion of admissibility 
(see e.g. [12]). We have: 

Theorem 3. Weak admissibility entails soundness. 

Proof. This follows from the fact that if 77 :: Q\-Lq A, then 77 :: V \~Li A 
(see the double interpretation of proof-trees using Q) . Weak admissibility yields 
n-.-.VLL,A □ 



3.2 Strict Monotonicity 

Let V and Q be as before. We state the following strict monotonicity properties 
of T w.r.t. Q: 

1. Let III, II 2 be two pt using Q. If 7Ti ^ II 2 , h(77i) < h{Il 2 ) and t(77i) 
and t( 772) are defined, then h(r(7Ti)) < h{T{Il 2 )) 

2. For every pt 77 using Q with arbitrarily high continuations, there is a con- 
tinuation 77 of 77 using Q such that r(7T ) is defined. 
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3.3 Completeness with Respect to Success 

Notation. Let G be a finite set of atoms. By [G] we intend the closure under 
substitution induced by the language of the source program V. 

Definition 20 ((Closure)). We say that a set of atoms is G-closed if it is 
eontained in [G] . We say that a clause is G-closed if so is the set of its atoms. 

Now, let 7^ be a source program, 

„ III Iln 

^ ~ 

be a derived program, and G be a finite set of atoms. We say that Q is G-complete 
w.r.t. success ofV iff 

1. For every A G [G] and proof II :: V A, there are strict subproofs 
III ■■ Ai,. . ., Un :: An of 77, a derived clause Cj ^ Bj of Q and a substitution 
a such that: 

(a) A = Cja and 

(b) Bj can be continued into a forest 77* :: Q, Ai , . . . , \~Lo Bja. 

2. Ai <— Bi is G-closed, for 1 < i < n. 

3.4 Completeness with Respect to Infinite Trees 

Let V, Q be as in Sect. 13.21 We say that Q is G-complete w.r.t. infinite trees of 
V iff 

1. There is a fc such that, for every Ag [G], every proof tree 77 :: V , F \- A 
with height h{II) > k has a continuation that satisfies item 1. of Sect. 1.3 .31 

2. Ai <— Bi is G-closed, for 1 < i < n. 

3.5 Main Result 

To summarize, we may have the following cases: 

1. The rules of 7i are (weakly) admissible in 7 q 

2. Q is G-complete w.r.t. success of V 

3. Q is G-complete w.r.t. infinite pt’s of V 

4. r is strictly monotonic w.r.t. Q. 

Notation. For a program V, let SS-p be the success set and Infptp the set of 
atoms with infinite proof trees of V. 

We can prove the following general results. 

Theorem 4. Given V and Q as above: 

1. entails SSq C SSp 

2. entails {SSp n [G]) C SSq 
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3. entails {Infpt-p n [G]) C InfptQ 
4- entails InfptQ C Infpt-p. 

Proof. 



1. By Th.0 

2. Let us consider a proof II :: V \~Lo for ^ € [G]. It is sufficient to 

prove that there is il' :: Q \~Lq By G-completeness, there are strict 
subproofs ill :: II n :: of iT, a derived clause Cj ^ Bj of Q and 

a substitution a such that A = Cja and Bj can be continued into a forest 
n* :: Q, Ai, . . . , An \~Lo Bja. We can build II' as follows. Consider: 



iIo = 



n* 

B,a 




H 



B, 



ca 



Note that iTo :: Q, Ai, . . . , An\~ Lo A. Iterate the same procedure to translate 
ill :: Ai,. . Pin ■■ An into proofs using Q. Use the latter proofs to complete 
iio into a proof II' . Note that the iteration can be always applied by G- 
closure and it comes to a halt, as we always consider strict subproofs. 

3. Proceed as is the previous case, with the following difference: once you get 

to the proof tree iTo, recall that since ii may be continued ad libitum, so 
does the sequence iii :: Ai,. . ., II n An. This means that this procedure 

may be indefinitely iterated, continuing thusly a proof tree using Q to an 
arbitrary height. 

4. Let iTo ^ ^ Ilk A ... be an infinite sequence of continuations (using 

Q) with increasing height. By strict monotonicity w.r.t. Q, each Ilk can 
be continued into a proof tree that has a translation. Therefore we can 
assume without loss of generality that the proof trees in our sequence have 
translations. Build the infinite sequence t{IIq) < . . . < T{IIk) d: ... It has 
increasing heights by strict monotonicity. 

□ 



Corollary 1. 

1. (1. and 2.) entail that success is preserved over G 

2. (1.2.3. and f.) entail that success and finite failure is preserved over G 

Proof. The former part 1. is trivial. The latter (2.) follows from the fact that 
finite failure is the complement of the union of success and atoms with infinite 
trees. □ 



4 Partial Deduction 

We are now in the position of giving an abstract and very high-level view of 
Partial Deduction (PD) |blti^<ltij . thanks to our framework. Note that we shall 
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not be concerned with the pragmatics of PD jl 3fl I IZf like unfolding rules, loop 
detection et cetera: those issues can be dealt with as usual. 

We will express PD be via the converse of the clause application rule, called 
clause introduction and indicated by ci. The rule discharges the (rt-th occur- 
rence(s) of the set of) assumption(s) B. 



B 

n 

C 



C ^B 



Cl 



The latter allows the derivation of resultants. For instance, from the following 
program EO 



Co : 


e(0)^ 




Cl : 


e{s{X)) ^ 


-o{X) 


C2 : 


o{s{X)) ^ 


-e{X) 



we can derive the resultant ilo " EO e(ssX) ^ e(X): 



e(X) C 2 

ca 

o(5X) Cl 

ca 

e(ssX) 

e(ssX) ^ e(X) 



As we said in the beginning of this Section, if we hide the proofs of the derived 
clauses, we can use them (by the ca rule) just as program clauses. This is shown 
below. 



Co 

ca 

e(0) C 2 



o 



(sO) 



■ ca 



Cl 



e(ssO) 



■ ca 



ITo :: e(ssA) ^ e(X) 



e(ssssO) 



Therefore we formalize Partial Deduction in the super-calculus Li containing 
the rules ca and ci: 



A Partial Deduction of a source program P with respect to a set G of 
atoms is a derivation in Li of a program Q — {Ui :: Ci <— Bi}, 0 < 1 < n, 
where the Ci are instances of formulae of G. 

We now address the problem of correctness of PD, following the guidelines 
established by Th. E] i.e. considering admissibility (and soundness), strict mono- 
tonicity and completeness with respect to success and infinite trees. 
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4.1 Admissibility and Soundness 

We have a process analogous to the local D-reduction step of normalization in 
natural deduction calculi, yet simpler, due to the restricted syntax of definite 
programs. 

Theorem 5 ((Normalization)). There is a translation r such that, for every 
atom B and proof tree U :: P, T B, t{II) :: P, T B. 

Proof. The mapping r is defined by induction on 77, as follows: 



1. t{B) = B 

2. The applied clause is the program clause C: 



I III Iln 

.AiO And 

B0 

V 



ca 

/ 



r(77i) r(77„) 

Ajd And] ^ 



3. The applied clause has been introduced by ci: 



/ 



Hi 

Aia-, 



AnCr; 



Al . ■ . An ^ 

no 

^ ri 

B^Ai...An^' 



V 



/ 



r(77i) . . .r(7T„) 

Aitr . . . And 
t{IIo)cj 
Ba 



□ 



The partial function r is essentially a normalization operator which elimi- 
nates every vicious circle of an introduction immediately followed by an elimi- 
nation with the same major premise. The mapping is total for proofs in Li of 
atomic consequences, otherwise the translation is undefined for proofs whose last 
step is ci. 

Theorem Q proves (weak) admissibility of ci in Lq. From Th. E] this yields 
soundness. 



4.2 Strict Monotonicity 

One can easily see that condition 1. of strict monotonicity w.r.t. Q holds. Con- 
dition 2. is obvious, since r is defined for every proof tree using Q. 



4.3 Completeness with Respect to Success 

Let V be the source program. G-completeness with respect to success can be 
characterized trough G-complete sets of proof trees. 
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Definition 21 ((G-complete Sets w.r.t. Success)). Let G be a set of atoms 
and {III, ■ ■ ■ , Iln} be a set of proof trees of Lq with program V. {Hi, . . . , H„} 
is G-complete with respect to success of V iff, for every A G G and proof 
n '.'.VLlo n is a continuation of Ilk, for some k, 1 < k < n. 

Now, let 

^ ni-.-.V,BihL,Gi^. n„::V,B„^L^G„^, 

Gie-Bi Gn^Bn 

be the derived program. 

Theorem 6. Let G be a set of atoms. Q is G-eomplete with respect to success of 
V z/{T(i7i), . . . ,r(il„)} is a G-complete set w.r.t. success ofV and each derived 
clause Ck ^ Bk (1 < k < n) is G-closed. 

Proof. Consider H G [G], and a proof II :: V Llq H. By G-completeness of 
{r(i7i), . . . ,r(7T„)}, there is T{IIk) A H. Therefore II can be decomposed into 
an initial subtree T{IIk)<J with root H = Gfccr and a forest proving BkO. In 
this case the required continuation of Bkcr is (trivially) BkO itself. G-closure is 
required by hypothesis. 

4.4 Completeness with Respect to Infinite Trees 

Definition 22 ((G-complete Sets w.r.t. Infinite Trees)). Let {IIi, ..., 
7T„} be a set of proof trees of Lq with program V. {Hi, . . . ,H„} is G-complete 
with respect to infinite trees of V iff there is a k such that, for every A G G and 
proof tree II :: V , P \- Aa with height greater than k, II is a continuation of 
Ilk, for some k,l < k < n. 

Now, let Q be as before. 

Theorem 7. Q is G-complete with respect to infinite trees ofV z/{r(Hi), . . . , 
r(H„)} is G-complete w.r.t. infinite trees ofV and each derived clause Gk ^ Bk 
(1 < k < n) is G-closed. 

We omit the proof, which is similar to the previous one. 

4.5 Correctness of Partial Deduction 

One can derive sets of G-complete continuations in the usual way, by incomplete 
SLD-trees with starting goal ^ G. Each path of the incomplete SLD-tree is an 
incomplete b'Lil-derivation and we can translate it into a forest. The set of non- 
failed proof trees of all those forests is G-complete both with respect to success 
and to infinite trees. By the main results of the previous Section, both success 
and finite failure are preserved. 

We can separate success from finite failure by requesting only completeness 
with respect to the former. In this case, it may be the case that some proof trees 
required only to preserve infinite trees can be omitted. 
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5 Unfolding and Folding 

Let us now turn to analyzing unfolding and folding (I11I15I16I17I, to name just 
a few) . 



5.1 Unfolding 



Unfolding needs the admissible rule ci, for which we have already given the 
translation function r. Admissibility of ci and strict monotonicity of r have been 
shown, too. 

Since we are interested in all the possible goals, we look for G-completeness, 
where G contains the predicates ri{x \), . . . , rm{xm) of V. 

In this way we can inherit the results of the previous section. 



Example 1. Referring back to the program EO of Sect.0, the following unfolded 
program Q (which brings back the usual and more efficient definition of even 
and odd) preserves success and finite failure: 



2 = 



Co 

e(0)‘ 

e(0). 



e{X) C 2 
o(sA) Cl 

^ i 

e(ssX) 

e{ssX) ^ e(A)‘ 



Co 

e(0)‘ 



C2 



o(s0) 
o(s0) < 



o{X) Cl 
e(sX) C 2 

^ i 

o(ssA) 

o(ssA) ^ o{X) 



ci° > 



Usually nmn, an unfolding transformation is seen as a sequence of programs, 
obtained thorough a sequence of single unfolding steps, where each step preserves 
completeness. Thus one obtains a final program that preserves success and finite 
failure. In our case we can define completeness directly on the final derived 
program Q, since it explicitly contains the proofs of its clauses, starting from 
the ones of the source program. 



5.2 Folding 

The folding rule refers to a folding set 



[ Biai Bk<Tk 1 

^=) i7i Hk f 

I Aai Afjk ) 

of proof trees with clauses from V, such that E is A-complete w.r.t. success of 
V. 

For such a IF, we have the following rules: 

H^r,Biai ■■■ H^r,BnOn 
H ^ E, A 



■fold{E) 
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■■■ {H^r,Bn)an 
H ^ RA 



- fold‘d (R) 



In fold, vars{vah) C\vars{r, H,A) =0 must be satisfied for 1 < h < n and every 
V € vars{Bh)\vars{A) . The rule fold allows to treat, for example, Tamaki&Sato’s 
m and Shepherdson ’sUB] folding. The rule fold‘d does not have restrictions on 
cr. It allows to treat general folding mi (R2, p. 268). Indeed, fold‘d is more gen- 
eral than fold. We distinguish the two rules because they have different logical 
explanations, as briefly remarked in the conclusions. 

We can formalize unfold/fold transformations as derivations in the super- 
calculus L 2 containing the rules ca, ci, fold{T) and fold‘^{T) (for every folding 
set T). 



Example 2. Given the following program minmax to determine the minimum and 
maximum of a list, where the definition of sup and inf are left open: 



mo : min{[X], X) <— 

mi : min{[X\XS],Y) <— min{XS, Z),inf{X, Z, Y). 

m 2 ■ max{[X], X) <— 

m 3 : max([X\XS],Y) <— max{XS, Z), sup{X, Z, Y). 

m 4 : minmax{XS, Min, Max) ^ min{XS, Min), max{XS, Max). 



and this folding set: 

^ jmin{XS,Min) max{XS,Max) mi 
1 minmax {X S, Min, Max) 

The two following trees sum up the transformation process in a very compact 
way, where each transformation step corresponds and is justified by an inference 
in the tree. 

mo m2 

min([X],X) max{[X],X) mi 

minmax([X], X , X) 
minmax {[X], X, X) ^ 



min{XS, Y) inf(X, Y, Min) mi max(XS, Z) sup{X, Z, Max) m 3 

min{[X\XS], Min) max{[X\XS], Max) mi 

minmax {[X \ X S], Min, Max) 

minmax {[X \ X S], Min, Max) ^ min{X S,Y),max{X S, Z), 

inf(X,Y,Min),sup{X,Z,Max) 

jola[j-) 

minmax([X\XS], Min, Max) <— minmax{XS,Y, Z), 

inf(X, Y, Min), sup{X, Z, Max) 

We thus obtain by folding the new recursive definition of minmax 

ms: minmax{[X],X,X) <— 

mo : minmax{[X\X S], Min, Man) <— minmax{XS, Y, Z), 

inf{X, Y, Min), sup{X, Z, Alax) 
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Weak admissibility holds, i.e. every proof U :: V \~l 2 ^ (where A is an atom) 
can be translated into a proof r(i7) V \-Lq A. Due to the fold rule, translata- 
bility is not guaranteed for proof trees II :: V , F \- A with assumptions. 

The partial function r is recursively defined as follows: 



1. The base and the recursive cases for source clauses and clauses introduced 
by ci are as in Sect. B~n 

2. If the applied clause is introduced by fold^ we have the following recursion, 
where 77*, 77 * are forests: 



Ai 

- r, Bi 



no 

A6 



H ^ 

ns 



fold(J^) 




n'* 




V 






provided that t{IIq) is a continuation of a proof lit G T . Since the latter 
has consequence Aat and assumptions BhUh, t{IIq) has the form of an ini- 
tial subproof IIh5' , continued at the top by a forest 77 * with consequences 
Bh<yhS’ (by the applicability condition, 5 and 5' coincide over F, 77). If r(7To) 
is not sufficiently high to be a continuation of any proof tree of T, we cannot 
find the sequence 77 *, and we halt the translation with an undefined result. 



3. If the applied clause is introduced by fold‘d, the translation is defined in a 
way similar to fold (omitted here for conciseness). 



Proposition 2 ((Weak Admissibility)). 7/77 is a proof, then t{FI) success- 
fully halts, i.e. every proof using clauses derived in F 2 can he translated into a 
proof using only Fq and clauses from V. 

The proof easily follows from the fact that, in every translation step related to 
the fold rules, t(77o) is a proof of 5 A and hence a continuation of some proof of 
the A-complete set T . □ 

Now let us consider completeness. As for unfolding, we are interested in all the 
possible goals, i.e. we look for G-completeness, where G contains the predicates 
ri{xi), . . .,rm{xm) of V. 

A useful sufficient condition for ri{x \), . . . , rm(a:m)-completeness is fold com- 
pleteness: 

Definition 23 ((Fold Completeness with respect to Success)). Let V be 

a source program and Q = {Hi :: Ci -f— Bt}, 1 < i < n be a program derived 
from V in L 2 . We say that Q is fold-complete with respect to success of V if 
every proof tree 

Y3 Ili 
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has continuations that can be successfully translated and the set of all the trans- 
lations is ri{xi), ... ,rm{xm)- complete w.r.t. success ofV. 

Theorem 8 ((Completeness with respect to Success)). Fold completeness 
with respect to success ofV entails ri(xi), . . . ,rm{xm)- completeness with respect 
to success ofV. 

Proof. Consider a proof II :: V H. By fold completeness, there is il' :: 
Q,Ai,...,An\-Lo H such that: t(TT') A 77 and 77' applies (at the root) a derived 
rule, say Ci ^ Bi. Therefore 77' contains the required forest proving BiU, and 77 
contains the required strict subproofs. G-closure is required by hypothesis. □ 

Fold Completeness with respect to infinite trees is obtained if, in Def.[23, we 
replace success by infinite trees. 

By the last theorem and our general results, fold completeness with respect 
to success of V guarantees that the success set is preserved. Note that there 
are cases of folding that are incomplete. Appealing to that, we can explain the 
well-known problems related to self- folding. Consider the source program V: 

p ^ r 
r <— 



A p-complete iF is 

T = 

and the transformed program is 

Q = 



r p ^ r 



-ca 



p r 
p^p 



fold(.A) 



Q is incomplete since for every continuation in Q of the proof tree below 

p ^ r 



p p^ p 



-fold(.F) 



P 

the translation fails. On the other hand, the program Qi 

p ^ r 



Qi 



p^p 

p ^ r 
r ^ 



-fold (7^) 



is fold-complete. Indeed the continuation 

r p r p r 



-ca 



P 



P^P 



fold(.F) 



-ca 



P 
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is translated into 

r p ^ r 

ca 

P 

Finally, as an immediate consequence of the general results, we have also the 
following theorem: 

Theorem 9. If Q is fold-compete with respect to success and infinite trees and 
T is strictly monotone w.r.t. Q, then finite failure is preserved. 

6 Conclusions and Perspectives 

We have given a proof-theoretic analysis of some well known transformation 
rules. We have omitted for conciseness the treatment of the preservation of open 
answers. This can be done in our general framework by using the notion of most 
general proof trees. 

Our analysis shows that one can use a very general schema, based on the 
notions of admissibility, completeness with respect to the source program and 
properties of the translation function, like strict monotonicity. Moreover, our 
formalism and general results nicely generalize to other logic programming lan- 
guages: in fact it is possible to apply our general schema to logic programming 
languages that can be formulated as Axiom Application Systems laTm] . say for 
example normal or disjunctive programs. 

This paper presents work in progress. A further main step is the study of a 
set of basic logical inference rules and non-logical principles, that allow to derive 
all the admissible rules corresponding to the kind of transformations known in 
the literature. In other words, we are looking for a calculus to infer program 
transformation rules. In this way we achieve two main advantages: 

1. We can study and classify the rules from a logical point of view. For example, 
one can prove that the two folding rules have different logical justifications. 
In fact, fold can be derived from the completion of V, by using only the 
logical rules. To derive fold‘d , we need also an w-rule, as the one given in 
PI in the context of Partial Inductive Definitions. Moreover derivations 
can be embedded in the context of a specific theory, for example in the 
axiomatization of a data type. In this way transformations can be guided by 
the knowledge of a specific problem domain. 

2. By using a set of basic rules, we can, in principle, derive new transformation 
rules. Of course, their usefulness is a question of experimental work. 

A final point that we want to exploit is the use of proof-schemas. For example, 
one could try to detect regularities in a schema: this information could suggest 
the definition of suitable new eureka predicates, to be used in transformation. 
Up to now we have tried only some experiments in this direction, using examples 
like the Fibonacci numbers, or the ‘average’ program considered in m- 

Acknowledgments. We would like to thanks Frank Pfenning and one anony- 
mous referee for having carefully read and suggested useful modifications to the 
previous version of the paper. 
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Abstract. This paper presents two views of stepwise enhancement, one 
a pragmatic syntax-based approach and the other a semantic approach 
based on higher order functions and relating to shape and polytypism. 
The approaches are outlined, and the perhaps surprisingly close relation- 
ship between the two described. By combining the advantages of both 
approaches, it is shown how more code in both functional and logic pro- 
gramming languages can be constructed in a systematic and partially 
automated way. 



1 Motivation 



In the last couple of years, there has been renewed interest in systematic methods 
for the construction of Prolog programs, for example (Gegg-Harrison, EMEI), 
(Power and Sterling. II QDDII . (Kirschenbaum et al.. II (Sterling and Yalginalp, 
II 996jl . and (Vasconcelos and Fuchs, II Qflbjl . This paper loosely characterises the 
progression of approaches that have been offered for systematic construction of 
logic (usually Prolog) programs. There is a trade-off between what is accessible 
for practical programmers and what is clearly explained in theory. 

We claim that both audiences can be addressed through stepwise enhance- 
ment. The method can be explained directly in term of programming techniques 
applied to simple programs, and also given a more theoretical basis in terms 
of higher order functions. We review stepwise enhancement, sketch how to cap- 
ture an enhancement as a higher order function adapted from foldr, and then 
sketch how individual enhancements are specialisations of the particular foldr 
predicate. We show how this is closely related to the new ideas on shape and 
polytypism being discussed in the functional programming community (Jay and 
Cockett, EM||, (Jay II QQ'^ (Belle et a.1 , IIQQbT (Jeuring and Jansson, EHEj), 
(Jansson and .Teuriug, ll QQ7I) We go on to generalise this work in several ways, 
utilising key features of logic programming such as nondeterminism and flexible 
modes, and show how foldl can also be adapted. 

Norbert E. Fuchs (Ed.): LOPSTR’97, LNCS 1463, pp. 245-ESni 1998. 

© Springer- Verlag Berlin Heidelberg 1998 
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2 Approaches to Developing Prolog Programs 

1. The early approach, characterised by ‘Programming in Prolog’ (Clocksin and 
Mellish, B DS1 ^ and ‘Prolog by Example’ (Coelho et ah, r DSSI was completely 
ad hoc. Prolog was a declarative language and it was easier/fun/exciting for 
many researchers to code in a declarative style. The approach did not lead 
to systematic Prolog training nor encourage high productivity. 

2. Another approach is based on structural induction. Anyone who programs in 
a logic language notices that code manipulating lists typically has a similar, 
recursive structure. It is well known that recursion in programming languages 
is related to proofs by induction in mathematics. This observation can lead 
to a systematic approach where logic programs are developed along with 
structural induction proofs of correctness. A coherent account of structural 
induction as the basis for systematic logic program construction is given in 
(Deville, ITMn^ . It is not clear how well Deville’s approach scales nor how 
easy it is for the non-mathematically inclined to master. 

3. An approach advocated for teaching Prolog has been to use templates or 
schemas. Students are invited to ‘fill in the blanks’. The blanks can be 
thought of as parameters which are predicates. Advocates of schemas are 
O’Keefe ITMi) and Gegg-Harrison r iTWi . Schemas have not been widely 
adapted, due partly to the fact that those who grasped Prolog programming 
didn’t need them, and those that didn’t had an extra level of complexity to 
learn, the language that the schemas were expressed in. 

4. The recent work by Fuchs and colleagues (Fuchs and Fromherz, ITMT) . (Vas- 
concelos and Fuchs, attempts to combine the previous two approaches. 
A logical specification is (somehow) arrived at, and then schemas are used 
to guide the transformation of the specification to a program. 

5. Stepwise enhancement (Lakhotia, r (Sterling and Kirschenbaum fftW.'-iji 
and (Sterling and Shapiro, H 1^4) was introduced by Sterling and colleagues in 
an attempt to simplify the teaching of complicated Prolog programs. Rather 
than have to explain higher order concepts, programmers and novices were 
taught programming techniques which at all times manipulated concrete 
Prolog programs. 

6. Naish (r advocated a higher order style of programming, very similar to 
that used in functional programming languages. It was shown how some op- 
erations of stepwise enhancement, such as applying a technique to a skeleton 
and composition, could be elegantly reproduced in a higher order framework. 

This paper continues the discussion between the authors on how best to char- 
acterise stepwise enhancement. The current work was sparked by the challenge 
to use the higher order approach to explain a ‘complicated’ program, the rule 
interpreter described in Section 17.4 of the second edition of The Art of Prolog 
(Sterling and Shapiro, H DD4I . In explaining the program, a new method was for- 
mulated: the final program is built around an output type rather than an input 
type. In this paper we give another example of this technique, using a different 
interpreter. 
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What has emerged is a better understanding of how types can drive program 
development, and how Naish and Sterling’s views of systematic program con- 
struction via stepwise enhancement are complementary. The work relates to re- 
cent, exciting work in the functional programming community concerning shape, 
which sets our views on program development in a broader context and also sug- 
gests that logic program development is more general. This paper presents the 
dual view of stepwise enhancement. 



3 Stepwise Enhancement for Program Construction 

The method of stepwise enhancement (Lakhotia, II was originally conceived 
as an adaptation of stepwise refinement to Prolog. It was advocated as a way 
to systematically construct Prolog programs which exploits Prolog’s high-level 
features. The key idea underlying stepwise enhancement is to visualise a pro- 
gram or solution in terms of its central control flow, or skeleton, and techniques 
which perform computations while the control flow of the skeleton is followed. 
Techniques can be developed independently and combined automatically using 
the method of composition. 

The most common data structure for logic programs is the list, and many 
programs are based on skeletons for traversing lists. A tutorial example of using 
stepwise enhancement to develop a simple program is given in Chapter 13 of 
(Sterling and Shapiro, II 9941 . In this section we give the basic list processing 
program as Program 1 for reference, and a (slightly) more elaborate example 
with binary trees. 

is_list ( [] ) . 

is_list ( [X I Xs] ) is_list(Xs). 

Program 1: A skeleton for list traversal (or definition of lists) 



Programs 2a and 2b are skeleton programs for traversing binary trees with 
values only at leaf nodes. Program 2a, the left-hand program, does a complete 
traversal of the tree, while Program 2b, the right-hand program, traverses a single 
branch of the tree. Note that Program 2a can be viewed as a type definition of 
trees. 

is_tree(leaf (X) ) . branchCleaf (X) ) . 

is_tree(tree(L,R) ) branch(tree(L,R)) branch (L) . 

is_tree(L), branch(tree(L,R)) branch (R) . 

is_tree (R) . 



Programs 2a, 2b: Skeletons for traversing a tree 
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Techniques capture basic Prolog programming practices, such as building a 
data structure or performing calculations in recursive code. Informally, a pro- 
gramming technique interleaves some additional computation around the control 
flow of a skeleton program. The additional computation might calculate a value 
or produce a side effect such as screen output. Syntactically, techniques may re- 
name predicates, add arguments to predicates, add goals to clauses, and/or add 
clauses to programs. Unlike skeletons, techniques are not programs but can be 
conceived as a family of operations that can be applied to a program to produce 
a program. 

A technique applied to a skeleton yields an enhancement. An enhancement 
which preserves the computational behaviour of the skeleton is called an exten- 
sion. 

We give examples of techniques. The two most commonly used techniques 
are the calculate and build techniques. They both compute something, a value 
or a data structure, while following the control flow of the skeleton. An extra 
argument is added to the defining predicate in the skeleton, and an extra goal is 
added to the body of each recursive clause. In the case of the calculate technique, 
the added goal is an arithmetic calculation; in the case of the build technique, 
the goal builds a data structure. In both cases, the added goal relates the extra 
argument in the head of the clause to the extra argument (s) in the body of the 
clause. 

Two typical examples of the application of the calculate technique are given 
as Programs 3a and 3b. Both are extensions of Program 2a which traverses a 
binary tree with values at its leaves. The left-hand program (3a) computes the 
product of the value of the leaves of the trees. The extra argument in the base 
case is the value of the leaf node. In the recursive case, the extra goal says that 
the product of a tree is the product of its left subtree and its right subtree. The 
predicate is_tree has been renamed to prod_leaves. The right-hand program 
(3b), which computes the sum of the leaves, is very similar, the only difference 
being choice of names and the extra goal. 

prod_leaves (leaf (X) ,X) . sum_leaves (leaf (X) ,X) . 

prod_leaves(tree(L,R) ,Prod) sum_leaves (tree (L, R) , Sum) 

prod_leaves (L , LProd) , sum_leaves (L , LSum) , 

prod_leaves (R,RProd) , sum_leaves(R,RSum) , 

Prod is LProd*RProd. Sum is LSum+RSum. 

Programs 3a, 3b: Extensions of Program 2a using calculate 



Two enhancements of the same skeleton share computational behaviour. 
They can be combined into a single program which combines the functional- 
ity of each separate enhancement. Techniques can be developed independently 
and subsequently combined automatically. The (syntactic) operation for com- 
bining enhancements is called composition. This is similar in intent to function 
composition where the functionality of separate functions are combined into a 
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single function. Program 4 is the result of the composition of Programs 3a and 
3b. 

prod_sum_leaves (leaf (X) ,X,X) . 
pr od_sum_leaves (tree (L , R) , Prod , Sum) : - 
prod_sum_leaves(L,LProd,LSum) , 
prod_sum_leaves(R,RProd,RSum) , 

Prod is LProd*RProd, 

Sum is LSum+RSum. 

Program 4: The composition of two extensions 



A different programming technique uses accumulators. The accumulator- 
calculate technique adds two arguments to the defining predicate in the skeleton. 
The first argument is used to record the current value of the variable in question 
and the second contains the final result of the computation. The base case relates 
the input and output arguments, usually via unification. One difference between 
calculate and accumulate-calculate is in the need to add an auxiliary predicate. 
Another is that goals and initial values need to be placed differently. 

Program 5 shows the result of applying the accumulate-calculate technique 
to the tree traversal program, Program 2a. It computes the sum of the leaves of a 
binary tree and is comparable to Program 3b. In general, programs written with 
accumulator techniques will run more efficiently than the equivalent program 
written with calculate and build techniques, due to the way tail recursion is 
implemented in Prolog. 

sum_leaves (Tree, Sum) accum_sum_leaves (Tree, 0, Sum) . 

accum_sum_leaves (leaf (X) ,Accum,Sum) 

Sum is Accum + X. 

accum_sum_leaves (tree (L , R) , Accum , Sum) : - 
accum_sum_leaves (L , Accum , Accuml ) , 
accum_sum_leaves(R,Accuml,Sum) . 

Program 5: Extension of Program 2a using accumulate-calculate 



Program 6 is an example of the application of the accumulate-build technique, 
also applied to Program 2a. It builds an inorder traversal of the leaves of the 
tree. There is no explicit arithmetic calculation, rather lists built by unification 
in the base clause. There is one trick here. Accumulators build structures in 
reverse order and hence the right subtree is traversed before the left subtree in 
order to have the final list in the correct order. 



traversal(Tree,Xs) accum_leaves (Tree, [], Sum) . 
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accum_leaves (leaf (X) , Accum, [X I Accum] ) . 
accum_leaves(tree(L,R) , Accum, Xs) 
accum_leaves (R, Accum, Accuml) , 
accum_leaves(L,Accuml,Sum) , 

Program 6: Extension of Program 2a using accumulate-build 



The skeletons and techniques presented in this paper are all taken from Pro- 
log, but stepwise enhancement is equally applicable to other logic programming 
languages, as discussed in Kirschenbaum, Michaylov and Sterling ( L00t)l . They 
claim that skeletons and techniques should be identified when a language is first 
used, in order to encourage systematic, effective program development. This 
learning approach should be stressed during teaching. They show that the skele- 
tons and techniques for Prolog can be extended to constraint logic programming 
languages, notably CLP(R), concurrent logic programming languages such as 
Flat Concurrent Prolog and Strand, and higher order logic program languages, 
in particular Lambda-Prolog (Nadathur and Miller, IL98SI . 

4 A Higher Order View of Programming Techniques 

Naish ( Lt)t)t)i argued for a higher order approach to programming in Prolog, based 
on similar techniques which are widely used in functional programming. One of 
the key steps in this approach is to develop suitable higher order predicates which 
can be used for a whole class of computations over a particular data structure. 
Modern functional languages have certain data types and higher order functions 
built in. For example, the polymorphic type list(T) and higher order function 
foldr which generalises the common simple recursion used to compute a value 
from a list. Program 7 demonstrates the use of foldr using Prolog syntax in the 
style of (Naish, 119951 . 

type list(T) > [] ; [T|list(T)]. 

foldrCF, B, [] , B) . 
foldr (F, B, [A| As] , R) 
foldr(F, B, As, Rl) , 
calKF, A, Rl, R) . 

sum(As, S) foldr(plus, 0, As, S) . 
product(As, P) foldr(times, 1, As, P) . 
length(As, L) foldr(addl, 0, As, L) . 
addl(_, TailLen, Len) Len is TailLen + 1. 



Program 7: Using foldr 
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In addition to the input list and result, foldr has two other arguments. One 
is the base case: what to return when the end of the list is reached. The other is 
a function — a predicate in the Prolog context. The predicate takes the head of 
a list and the result of folding the tail of a list to give the result of folding the 
whole list. The call/N predicates are available as builtins or library predicates 
in several Prolog systems. The first argument (a predicate) is called with the 
additional arguments added. For example, call(plus(A) ,R1,R) is equivalent 
to plus (A , R1 , R) , which is true if A+R1=R. In (Naish, H flQRl an alternative higher 
order primitive, apply/3, is recommended due to its greater flexibility. In this 
paper we simply use call/N as it is more widely known. 

Examples in (Naish, B show how foldr can be used to compute both 
the sum and product in a single pass by using a pair of numbers for the base 
case, intermediate results and final answer. These higher order definitions can 
be optimised very effectively using a partial evaluator such as Mixtus (Sahlin, 
B ddRI Further examples are given to show how predicates which are analogous 
to foldr can be constructed. 



5 Incorporating Shape 

Recent work on shape (Jay and Cockett, OmJ, (Jay, EHS], (Belle et ah, B 
and polytypism (Jeuring and Jansson, EM), (Jansson and Jeuring, EM) has 
formalised how many data types have certain higher order functions naturally 
associated with them. For example, map takes a list and produces another list 
of the same length. The shape of the output, the list structure, is the same as 
the shape of the input and the elements of the lists are related by the function 
map applies. The idea of map can be applied to any algebraic type such as lists 
and trees, and also arrays and matrices. A generic version of map applied to a 
binary tree will produce a binary tree of the same shape where the elements of 
the trees are related by the function map applies. 

Similarly, foldr can be generalised to any algebraic type. For lists, a call 
to foldr specifies two things: what should be returned for the empty list, and 
what should be returned for a non-empty list, given the head and the result of 
folding the tail. For a general algebraic type we need to specify what should be 
returned for each constructor in the type, given the arguments of the constructor 
corresponding to type parameters and the result of folding the arguments which 
correspond to a concrete type (generally the type being defined recursively). 

Consider the prod_leaves example given earlier as Program 3a. The overall 
operation is to fold a tree into a single number. We need to define the results of 
folding terms of the form leaf (X) and tree(L,R) , given the folded versions of 
L and R. 

Reconstructing the predicate is_tree as a definition of the type bt(T) and 
using the approach of (Naish, B QQRI we arrive at Program 8: the definition of 
foldr for this tree type, and corresponding definitions of prod_leaves and 
sum_leaves. In (Naish, B it was assumed that foldrbt would be written by 
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a programmer who has the required degree of insight. It is now clear that this 
predicate can be generated automatically from a definition of the type. 

type bt(T) > leaf(T) ; tree(bt(T) ,bt(T)) . 

f oldrbt (TreeP , LeafP, leaf (X) , Folded) 
call (Leaf P, X, Folded), 
f oldrbt (TreeP , LeafP, tree(L, R) , Folded) 
f oldrbt (TreeP , LeafP, L, FoldedL) , 
f oldrbt (TreeP , LeafP, R, FoldedR) , 
call(TreeP, FoldedL, FoldedR, Folded). 

prod_leaves(T, P) f oldrbt (times , =, T, P) . 

sum_leaves(T, P) f oldrbt (plus , =, T, P) . 

Program 8: Extensions of Program 2a using foldr 



6 You’ll Take the High Road and I’ll Take the Low Road 

The previous work of the authors sketched above can be seen as taking two 
different roads for program development starting from the same place (a type 
definition) and arriving at the same destination (the enhanced program), as 
shown in Figure 1. 



High Road 

type foldr foldr instance 

optimise 

skeleton enhancement 

Low Road 

Fig. 1. Two roads to enhancement 



Sterling suggested the low road in Figure 1, going from the type to the en- 
hancement via the skeleton. To explain how to travel the low road is simple 
and does not require very abstract thinking or complex software tools. Such an 
approach to systematic program construction may be favoured by many pro- 
grammers. 




A Higher Order Reconstruction of Stepwise Enhancement 253 



Naish suggested the high road in Figure 1, writing a version of foldr for 
the given type, using an instance of this foldr (a particular call to it) and then 
optimising, for example using a partial evaluator. The additional abstraction 
and concentration on semantics rather than syntax may be favoured by more 
experienced programmers using more advanced programming environments. The 
work on shape allows us to automatically obtain the foldr definition from the 
definition of the type. 

There is a very simple mapping between algebraic types and a class of logic 
programs called RUL programs (Yardeni and Shapiro, HbhOjl . RUL programs 
only have unary predicates. The argument of each clause head has the top level 
functor instantiated but all sub-terms are unique variables. Clause heads are 
mutually non-unifiable (thus predicates are deterministic when their arguments 
are instantiated). The arguments of all calls are variables which occur in the 
head and nowhere else in the body. Examples of RUL programs are is_list 
(Program 1) and is_tree (Program 2a). 

The high road taken by functional programmers is equivalent to starting with 
a skeleton which is a RUL program and enhancing it with predicates which be- 
have as functions, that is, they are deterministic and always succeed. The theory 
of functional programming can be used to prove results concerning composition 
of enhancements, for example, and generally give a theoretical justification for 
the idea of enhancement. 



7 Generalising Both Approaches 

Having found a class of programs for which the high and low roads are equivalent, 
we can see several ways to generalise both. The low road can have improved han- 
dling of non-recursive clauses and more flexible skeletons. The high road can be 
made more flexible by eliminating the type, mode and determinism restrictions 
inherited from functional programming. 



7.1 Goals in Base Cases 

The first (very simple) observation is that enhancements should allow general 
goals to be added to the base cases of enhancements. For pedagogical reasons, 
the original presentation classified enhancements into different categories ac- 
cording to the kind of goal added to recursive clauses and only allowed ad- 
ditional unifications to be added to facts. The limited abstraction simplifies 
learning but also restricts the scope of enhancements. For example, to find 
the sum of the squares of the leaves of a tree using foldrbt we could use 
f oldrbt (plus , square , Tree , SumXX) , where square takes a number and re- 
turns its square. The optimised program (or enhanced skeleton) would have a 
call to square in the base case. 
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7.2 Non-deterministic Skeletons 

Algebraic types correspond to RUL programs, in which are predicates are deter- 
ministic and only have single arguments. The stepwise enhancement paradigm 
has no such restriction: nondeterministic skeletons such as branch (Program 2b) 
and connected (Program 9) can be used. 

connected(A, A) . 
connected(AO , A) 
edge (AO , Al) , 
connected(Al , A). 

Program 9: Transitive closure of the edge/2 relation 

As noted in (Naish, U99KI . higher order logic programs can also be nondeter- 
ministic and nondeterministic analogues of foldr can be constructed. A version 
of foldr for paths in a graph was written (using considerable intellectual effort) 
based on the simple transitive closure procedure connected, above. The close 
relationship between ‘shape’ and stepwise enhancement we have uncovered can 
be used to generalise the transformation from algebraic types (or RUL programs) 
to foldr functions. From an arbitrary skeleton (not necessarily a RUL program), 
we can generate an appropriate version of foldr as follows. 

A procedure with A arguments and C clauses leads to a higher order pro- 
cedure with C+A+1 arguments. It has C ‘higher order’ arguments and one 
additional ‘result’ argument. The recursive calls in the clause bodies have the 
same higher order arguments as the head and new variables for their results. 
Each clause also has an additional call/N with the higher order argument for 
that clause, the variables in the head which did not appear in any recursive body 
calls, result arguments of the body calls and the result argument of the head. 
If this call has only two arguments then call/2 is replaced by =/2 (the higher 
order argument is simply a term which is returned for the base case). Mutual 
recursion can be treated in the same way (read recursive as mutually recursive), 
where C is the number of clauses in the set of mutually recursive procedures. 

For list/1 and tree/1 the results are the foldr/4 and foldrbt/4 defini- 
tions given in programs 7 and 8. For brainch and connected the results are in 
Program 10. The foldrcon procedure here is actually more general than the 
manually constructed version (which had a base case of V=FB instead of call/3) 
and can be used in the applications described in (Naish, 11990^ . 

foldrbCFL, FR, FB, leaf (X) , V) 
calKFB, X, V). 
foldrbCFL, FR, FB, t(L,R), V) 
foldrbCFL, FR, FB, L, VI), 
calKFL, R, VI, V). 
foldrbCFL, FR, FB, t(L,R), V) 
foldrbCFL, FR, FB, R, V2) , 
calKFR, L, V2, V). 
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foldrcon(FE, FB, A, 
calKFB, A, V). 
foldrcon(FE, FB, AO, 
edge (AO, Al) , 
foldrcon(FE, FB, 
calKFE, AO, VI, 



A, V) 

A, V) 

Al, A, VI), 
V). 



Program 10: Nondeterministic foldr for branch and connected 



7.3 Polymorphic Types and Higher Order Skeletons 

Monomorphic types such as list correspond to first order skeletons (RUL pro- 
grams, as we have seen). The work on shape and polytypism uses polymorphic 
types such as list(T), where T is a type parameter. Polymorphic types corre- 
spond to higher order skeletons with additional arguments. A type t(Tl, T2) can 
be mapped to a predicate t(Tl,T2,X) which succeeds if X is of type t(Tl,T2). 
If the definition of type t contains the constructor c(El,E2) (where El and E2 
are type expressions) then t/3 will have the clause 
t(Tl, T2, c(X, Y)) call(£:i, X), ca.ll{E2 , Y) . 

Instances of call/N can be specialised if their first argument is a nonvariable. 
For example, the type list(T) leads to the predicate list/2 in Program 11. The 
type rtree(T), an M-way tree consisting of a term rt(X, Y) where X is of type T 
and Y is of type list(rtree(T)) can be defined using the predicate rtree/2. 

list(T, []). 
list(T, [XiXs]) 

calKT, X), list(T, Xs) . 

rtree(T, rt(X, RTs)) 

call(T, X), list (rtree (T) , RTs). 

Program 11: Higher order skeletons for list(T) and rtree(T) 



Higher order skeletons go against the spirit of simplicity embodied in step- 
wise enhancement and the control flow of the program above (mutual recursion 
through call/N) would certainly be confusing for a novice programmer. The 
advantage is that it saves having multiple copies of similar code. Rather than 
have a separate skeletons for simple lists, lists of lists, lists of rtrees et cetera, a 
single higher order definition can be given. A specialised definition of a type such 
as rtree (any) can be obtained by partial evaluation (eliminating all instances of 
call/N) and a version of foldr can be derived as described above. For rtree, 
the result is Program 12. 

rtree_any(rt(X, RTs)) :- 
list_rtree_any (RTs) . 
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list_rtree_any ( [] ) . 

list_rtree_any ( [RT I RTs] ) 
rtree_any (RT) , 
list_rtree_any (RTs) . 

foldrrt(FR, FC, B, rt(X, RTs), V) 
foldrlrt(FR, FC, B, RTs, VI), 
calKFR, X, VI, V). 

foldrlrt(FR, FC, B, [] , V) 

B = V. 

foldrlrt(FR, FC, B, [RTiRTs], V) 
foldrrt(FR, FC, B, RT, VI), 
foldrlrt(FR, FC, B, RTs, V2) , 
calKFC, VI, V2, V). 

Program 12: Specialised skeleton and version of foldr for rtree 



7.4 Flexible Modes 

As well as allowing flexibility with types and nondeterminism, logic programs 
allow flexibility with modes. Rather than having fixed inputs and one output, 
as in functional programs, logic programs can potentially be run backwards — 
computing what would normally be considered the input from a given output. 
This flexibility can extend to higher order predicates, including those generated 
automatically from skeletons. 

As an example, we will construct a meta interpreter for Prolog by using 
foldrrt backwards. A Prolog proof tree can be represented by an rtree, where 
each node contains (the representation of) a Prolog atom which succeeded. The 
foldrrt procedure can be used to check that an rtree of atoms is a valid proof 
tree for a particular program and goal. A proof tree is valid if the atom in the root 
is the goal and for each node in the tree containing atom A and children B1,B2, 
there is a program clause instance A:-B1,B2,.... The proof_of procedure in 
Program 13 represents clauses as a head plus a list of body atoms (procedure 
Iclause) and can check that an rtree is a valid proof tree and return the atom 
which has been proved. 

7o Checks Proof is a valid proof tree and returns proved Atom; 

7o run backwards its a meta interpreter returning a proof tree 
proof _of (Proof , Atom) 

foldrrt (lclause2 , cons, [] , Proof, Atom). 

7o checks H B is a clause instance; returns H 
lclause2(H, B, H) lclause(H, B) . 
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7o clause/2 where clause bodies are lists 
lclause(append( [] ,A,A) , [] ) . 

Iclause (appendC [A I B] ,C, [A|D] ) , [append (B,C,D)] ) . 

Iclause (appends (A, B,C,D) , [appendC A, B,E) , append (E,C,D)] ) . 



cons(H, T, [HIT] ) . 

Program 13: Interpreter constructed using rtree 



With a suitable evaluation order, the code can also be run backwards. Given 
an atom, f oldrrt acts as a meta interpreter, (nondeterministically) returning a 
proof tree for (a computed instance of) the atom. This is an example of construct- 
ing a program based on the type of its output, as discussed earlier. By utilising 
the natural association between a type and f oldr and the flexible modes of logic 
programming, much of the process can be automated. 

7.5 Foldl 

In many cases, the higher order function foldl is preferable to foldr since it 
is tail recursive rather than left recursive (thus more efficient, at least for strict 
evaluation). It is not immediately obvious how to adapt foldl to general tree 
types rather than just lists. One possibility, suggested by Barry Jay is to perform 
a breadth first traversal (foldr uses a depth first traversal). This can be coded 
in a tail recursive fashion and is a familiar programming technique. 

Another possibility, which we pursued initially and is used in (Belleannie et 
al HHH71 . is to use foldr with more complex data flow, using logic variables. The 
result argument of foldr can be a pair of terms, one of which can be used as an 
input, and the accumulator style of programming can be used. If the accumulator 
is a list, we can think of foldr returning a difference list (Sterling and Shapiro, 
I instead of a list. With this style of programming, the data dependencies 
are such that the instances of call/N in the foldr definitions can be executed 
before the recursive call(s), allowing tail recursion. 

However, we believe the most elegant and natural generalisation of foldl is 
evident in the stepwise enhancement paradigm. We adapted stepwise enhance- 
ment to produce higher order foldr procedures using a generalisation of the 
calculate and build techniques. By using accumulator techniques we can produce 
a foldl procedure for any skeleton. Accumulators are used much more widely 
than breadth first traversals and the code produced has simple data flow and 
can be translated into a functional language if the initial skeleton corresponds 
to an algebraic type. 

The transformation is similar to the one described for foldr. The same num- 
ber of higher order arguments are used and there is one output argument, as 
before, but there is also an extra accumulator argument. The call/N is the left- 
most atom in the body and the accumulator and output arguments are ‘threaded’ 
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through this and the recursive calls in the clause body in the familiar way (Ster- 
ling and Shapiro, ClMjl. The accumulator and output arguments can be made 
implicit by using the standard Definite Clause Grammar notation. The resulting 
version of foldl for lists is as follows. 

7o Explicit accumulator version 
foldl (FC, FB, [], AO, A) 
calKFB, AO, A). 
foldKFC, FB, [XiXs], AO, A) 
calKFC, X, AO, Al) , 
foldKFC, FB, Xs, Al, A) . 

7o DCG (implicit accumulator) version 
foldKFC, FB, []) — > 
calKFB) . 

foldKFC, FB, [XiXs]) — > 
calKFC, X) , 
foldKFC, FB, Xs) . 

Program 14: Automatically derived foldl for lists 



There are two differences between this version of foldl and the standard 
foldl for lists. The first is the argument order for the call to the FC ‘function’ is 
swapped. This is not essential but allows the accumulator and output arguments 
to be implicit using the DCG notation. It is also consistent with foldr. The 
second difference is the use of a function called in the base case. The standard 
version of foldl simply returns the accumulator when the end of the list is 
reached. This is equivalent to our version of foldl with the identity function 
(=/2 in Prolog) as the function for the base case. 

For ‘linear’ data structure such as lists, calling a function when the base case 
is reached adds no real power. The function can always be called at the top 
level after foldl has returned, with the same effect. However, for tree struc- 
tures, a function application at the base case is often essential. Below are the 
versions of foldl for the bt type and connected procedure. Note prod_leaves 
(sum_leaves) has the multiplication (addition) at the leaves, as in Program 5. 

foldlbtCF, B, leaf(X)) — > 
calKB, X) . 

foldlbtCF, B, t(L,R)) — > 
call(F) , 

foldlbtCF, B, L), 
foldlbtCF, B, R). 

prod_leaves(T, P) 

foldlbt(=, times, T, 1, P) . 
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sum_leaves(T, P) 

foldlbt(=, plus, T, 0, P) . 

rev_traverse(Tree, Xs) 

foldlbt(=, cons, Tree, [] , Xs) . 

foldlcon(F, B, A, A) — > 
calKB, A) . 

foldlcon(F, B, AO, A) — > 
calKF, AO) , 

{edge(A0, Al)}, 
foldlcon(F, B, Al, A) . 

7o non-looping connected; returns path 
con_no_loop(A0, A, As) 

f oldlcon(cons_nm, cons, AO, A, [] , As). 

cons_nm(A0, As, [AO I As]) 
not memberCAO, As). 

Program 15: Versions of foldl for is_tree and connected 

For foldlcon, the call to edge is not recursive, so accumulator arguments 
are not added (braces are used to indicate this in the DCG notation). From 
foldlcon it is simple to code con_no_loop which finds connected nodes but 
avoids cycles. The accumulator is the list of nodes visited so far, in reverse 
order. The procedure which adds a new node to the accumulator, cons_nm, fails 
if the node is already on the path. The path is also be returned at the top level. 

Since the skeleton is_tree is a RUL program and hence equivalent to an 
algebraic type, foldlbt is deterministic and behaves as a higher order function 
over that type. The threading of the accumulator and result arguments in the 
body of a clause is equivalent to nesting of functional expressions. For complete- 
ness, we give the equivalent Haskell code in Program 16. 

>data Bt a = Leaf a I Tree (Bt a) (Bt a) 

>foldlbt :: (a->a)->(b->a->a)->(Bt b)->a->a 
>foldlbt f b (Leaf x) a = b x a 

>foldlbt f b (Tree 1 r) a = 

> foldlbt f b r (foldlbt f b 1 (f a)) 

>sum_leaves t = foldlbt (id) (+) t 0 
Program 16: Haskell version of foldl for is_tree/type bt 



There are actually two possible versions of foldlbt, depending on the order 
in which the two subtrees are visited. By swapping the two recursive calls in 
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the DCG version, the argument threading is also changed, leading to a logically 
different procedure. The procedure rev_traverse in Program 15 returns the re- 
verse of the traversal returned by Program 6. Using the other version of f oldlbt 
would result in the same traversal order. The choice of traversal orders and ad- 
ditional argument in foldl are consistent with the intuition that programming 
with accumulators or foldl is more complicated than using simple recursion or 
f oldr. 

8 Further Work 

A category theoretic reconstruction of our method for deriving versions of foldl 
(restricted to RUL programs) may produce some deeper insights and should 
extend the understanding of shape and polytypism for functional languages. A 
more theoretical treatment of the higher order logic programs we derive may also 
be worthwhile. For example, our approach can be adapted to logic programming 
languages such as Lambda-Prolog (Nadathur and Miller. Ifh88l which have higher 
order constructs with well defined semantics. 

Further generalisations of foldr and foldl could also be devised (Belleannie 
et al rwi . For example, we could add higher order calls to the start and end of 
each clause body, or even between each call as well. Other ‘shapely’ operations 
such as zip2 (which takes two lists and returns a list of pairs) could also be 
generalised, as suggested by (Jay, L995I . We note that more expressive higher 
order predicates are not necessarily better in practice. There is no benefit in 
using a generalised foldr which is applicable in five percent more situations if 
each use is ten percent more complicated than foldr. The ideal situation is to 
have a collection of higher order predicates or functions with a good tradeoff 
between applicability and complexity. Such sets can be developed over time, 
based on coding patterns which occur in practice. 

9 Conclusions 

Research into systematic program construction has the important aim of elevat- 
ing coding from the realm of arts and entertainment to science and engineering. 
In this paper we have built a bridge between the pragmatic syntax-based ap- 
proach of stepwise enhancement and the very theoretical semantic approach of 
shape and polytypism. Despite the gulf between the research methodologies be- 
hind these two approaches, there is a very close relationship between them. This 
is pleasing in itself but also allows us to see ways in which both approaches can 
be generalised. 

From the work on shape and polytypism in functional languages we have 
the generality of arbitrary functions as parameters, polymorphic types and the 
automatic synthesis of certain higher order functions from algebraic types. From 
the work on stepwise enhancement in logic programming, we have the generality 
of nondeterminism, additional arguments, flexible modes and use of accumula- 
tors. By combining the advantages of both approaches, we have shown how more 
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code in both functional and logic programming languages can be constructed in 
a systematic and partially automated way. 
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Abstract. Schema-based program transformation [3| has been proposed 
as an effective techniqne for the optimisation of logic programs. Schemata 
are applied to a logic program, mapping inefficient constructs to more 
efficient ones. One challenging aspect of the techniqne is that of proving 
that the schemata are correct. 

This paper addresses the issue of correctness. We define operations for 
developing correct schemata by construction. The schema development 
operations are higher order equivalents of the classic program transfor- 
mations of fold/unfold 0]. We consider a transformation schema to be 
correct if its application yields a target program which is equivalent to 
the source program under the pure Prolog semantics. 

The work described in this paper makes three contributions: a method- 
ology for the development of provably correct program transformation 
schemata, abstraction of program transformation operations to transfor- 
mation operations on schemata, and a higher-order unification algorithm 
which forms the basis of the schema transformation operations. 



1 Schema-Based Transformations 

A program transformation technique based on transformation schemata is de- 
scribed in [3]. Transformation schemata are defined using patterns — higher- 
order terms which can be instantiated to program fragments. A transformation 
schema is applied to a program by scanning the program for a piece of code 
which matches the source pattern, and replacing it with the instantiated target 
pattern. 
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A program transformation schema is defined in |H| as a 4-tuple, which spec- 
ifies that a conjunction of goals Gi, ...,G„ with corresponding predicate defini- 
tions Si,...,Sn can be transformed into a conjunction of goals Hi,...,Hn with 
corresponding predicate definitions Ti, 

((Gi, G„), (5i, 5„), (ill, Hr,), (Ti, ...,T„)) (1) 

Such schemata can encode a wide range of useful transformations, e.g. loop 
fusion, accumulator introduction and goal reordering. 

This paper addresses the issue of proving the correctness of transformation 
schemata. There are two basic design decisions we must make when considering 
the correctness of program transformation schemata: 

1. Do we seek to prove the correctness of existing schemata, or do we instead 
only provide tools for constructing new schemata which are guaranteed to 
be correct? We have decided to take the latter approach. 

2. How do we define the correctness of a program transformation? This question 
is discussed in the next section. 

The paper is organised as follows. First we discuss related work in ga We 
define equivalence of programs in (0 relative to the pure Prolog semantics, then 
outline in (0how correct transformation schemata can be constructed incremen- 
tally by the application of abstract transformation operations, which are the 
equivalents on program patterns of the classic fold/unfold transformations on 
programs. We define a language for expressing program patterns and transfor- 
mation schemata in and outline a unification algorithm for program patterns 
in gEl The abstract transformation operations are described in concentrating 
on the development of a correct unfold operation. We discuss the representation 
of transformation correctness conditions (gS|) and the progress of our implemen- 
tation (gSI), before outlining how predicate termination information could be used 
(gni- Finally, we discuss further work (gni) and draw our conclusions (gnj. Ap- 
pendix m presents the unification algorithm, and appendix 0 goes through an 
example schema development using schema folding and unfolding operations. 



2 Related Work 

Research on schemata is a very active field. Of the many papers that have 
been published in the last years we will focus on three that describe recent 
developments. 

After discussing the advantages and disadvantages of various schema lan- 
guages, ^ introduce a new language to represent program schemata based on a 
subset of second-order logic, enhanced with specific schema features, and with 
global and local constraints. Their language is a variant of the language pro- 
posed by |B| , though with the essential difference that constraints are not part of 
the schemata but are made explicit in a first-order language. The introduction 
of explicit constraints not only increases the expressiveness of the language but 
also guides the matching of the schema with a program through the successive 
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application of rewriting and reduction rules. Starting with a schema S, a set 
of initial constraints C, and a program P, the pair {S = P, C) is successively 
rewritten and reduced to ( 0 ,C"). All occurring constraint sets are consistent. 
Then there is a substitution 6 G C so that SO — P and 0 satisfies the initial 
constraint set C. 

While most researchers — including (3 and ourselves — represent schemata 
purely syntactically as first- or second-order expressions, 0 ] express schemata 
as full first-order theories called specification frameworks. A specification frame- 
work axiomatises an application domain. It contains an open — i.e. only partially 
defined — program that represents the schema itself. The authors state that the 
main advantage of their approach is that it simplifies the semantics of schemata 
since the specification framework can be given a model-theoretic semantics in the 
form of reachable isoinitial models. Based on this semantics the authors define a 
notion of correctness for schemata. Correct schemata are expressed as parametric 
specification frameworks that contain steadfast open programs, where steadfast 
means that the programs are always correct provided their open relations are 
computed correctly. Based on the notion of correct program schemata one can 
synthesise steadfast open programs which are not only correct but also reusable. 

The authors of 0 ] base their work on the concepts of specification- frameworks 
and steadfastness suggested by 0 . To extend these concepts to be used for pro- 
gram transformations they introduce the additional concept of the equivalence of 
the open — i.e. partially defined — programs computing the same relation. Then 
they define a transformation schema as a 5 -tuple {Si, S2, A, O12, O21) where 
and S2 are program schemata, i.e. specification frameworks, A an applicabil- 
ity condition ensuring the equivalence of the open programs within S\ and S2 
with respect to the top-level relation computed, and O12 (resp. O21) a set of 
optimisability conditions which ensure the optimisability of S2 (resp. Si). The 
authors present some concrete transformation schemata that they have imple- 
mented: divide-and-conquer, tupling generalisation, descending generalisation, 
and duality laws. The authors evaluate these transformation schemata with a 
small number of performance tests. The results show that the transformations 
cannot be used blindly thus necessitating the above mentioned optimisability 
conditions. 



3 Choice of Semantics 

A transformation is defined to be totally correct if the source and target programs 
are equivalent under the chosen semantics. We must choose which semantics to 
use. 

The correctness of transformations of Prolog programs under a variety of 
semantics is discussed in 0 . Much of the existing work on the transformation of 
Prolog programs only considers the simplest semantics, the Herbrand semantics. 
This permits many powerful and interesting transformations. Unfortunately, if 
these transformations were let loose on a real Prolog program, they would wreak 
havoc, because the Herbrand semantics does not capture the intended meaning of 
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Prolog programs as they are written in practice. Schema-based transformations 
have, from the outset, been intended as a practical tool for program transforma- 
tion, so we have decided to use a realistic semantics, the so-called pure Prolog 
semantics so that the resulting transformations can be applied to real programs. 
The pure Prolog semantics accurately reflects the semantics of Prolog programs 
when executed under the standard SLD resolution strategy. Programs must be 
cut-free and negation- free, and it is assumed that Prolog unification includes an 
occurs check. 



4 Correctness by Construction 

Many of the program transformations which are correct under the Herbrand 
semantics, e.g. unfold, are only correct under the pure Prolog semantics if certain 
conditions hold. For example, a literal (other than the first one) can only be 
unfolded in a clause if it is “non-left propagating”. Generally, conditions such 
as this can only be established when the transformation schema is applied to 
a concrete program. We therefore modify the presentation of schemata given 
in 1^ (as the authors of suggest) by extending schemata with correctness 
conditions. The goal conjunctions Gi,...G„ and Hi,...,Hn which provide the 
transformation context in m can be provided by adding a predicate with body 
Gi, ..., Gn to the source program, so we omit them in this presentation. 

The state of development of a schema transformation is represented by a 
tuple 0 , where Schema is a list of labeled clauses as described in m Op is the 
schema transformation operation which was applied to bring us to this state, 
is a set of conditions which must be satisfied when the schema is applied 
to a Prolog program to ensure correctness of the resulting transformation, and 
Previous History is another history structure. 

history {Schema, Op, <P, Previous Hi story). (2) 

Correct schemata are developed by successive application of the available trans- 
formation operations, which are defined in such a way that when the resulting 
schema is applied to a program, there is a correspondence between the abstract 
operations which were used to develop that schema, and transformation opera- 
tions on the source program yielding the target program. 

The top line of figure E depicts a complete schema development. The figure 
as a whole illustrates how matching a schema pattern to a program fragment 
induces a matching process from the transformation operations and correctness 
conditions on schema patterns to corresponding transformation operations and 
correctness conditions on programs. The correctness conditions, <Pi are accu- 
mulated during the development process, so that <Pk+i ^ A ... A <l>k- Once 
development has been completed, the intermediate stages can be stripped away, 
leaving just Schema^, <l>n and Scheman- In principle, such a development could 
perform the transformation of a number of predicates. If the predicates which 
are transformed have heads Pi,...,Pk in Schemao, and P(,...,P^ in Schemun, 
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Fig. 1. A schema development. Each horizontal arrow is labeled with an oper- 
ation together with its associated substitution and correctness conditions. 

then we could express the resulting transformation schema in the language of 
Fuchs and Vasconcelos |B| as a tuple: 

((Pi, ..., Pk) , Schemao, {P[, ..., P^,) , Scheman, <Pn) 

• Ot) 

Note that some of the schema development operations Schemak =?■ Schemak+i 
may modify Schemak in addition to Schemak+i - If such an operation is applied, 
then we can only define a transformation schema from Schemak to Schema^ 
and we say that the source pattern has been reset. 



5 The Schema Language 

The starting point for a schema development is a list of clauses. Each clause is 
represented internally as a term label : clause{Head,Tail), which is portrayed 
as: label : Head <— Tail. We distinguish the following kinds of term: 

1. Object-level variables var(Name), portrayed form “Name”. 

2. Vector variables vec{Type, Length, Name). Type is the atom ‘G’ to indicate 
that this is a vector of goals, or ‘A’ to indicate that it is a vector of arguments. 
Length is either a positive integer or zero or a Prolog variable. Name is 
either an atom or an integer. The portrayed form is TypeName:Length, so 
for example vec{‘G’, -,x) is portrayed as “Gx:_”. 

3. Predicates pred{P, Args), where P is an atom or a variable var(Name) and 
Args is a list of arguments. The portrayed form is “P(Args)”. 

4. Function applications apply {F, Args), where F is an atom or a variable 
var{N ame) andAr^s is a list of arguments. The portrayed form is “F(Args)” . 

5. Lists of arguments or goals. The elements of the list can either be predicates 
or function applications, as appropriate for the type of the list, or vectors of 
the appropriate type. 
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6. Clauses Head ^ Tail. Head must be a single goal pred{Name,Args). 

Tail is a (possibly empty) list of goals or goal vectors. 

7. Sequences of clauses y. 

The language defined above is close to that defined in pj, except that we 
do not require the notation (used in |Hj to mean that x occurs as the 

nth argument of a predicate or function). The facility to specify the lengths of 
vectors can be used to perform the same function, e.g. f{L, R) is replaced 

by f{vec{‘A’,n— L), X,vec{A’, R)). In addition, we define a notation (y) 
for representing sequences of clauses, which allows us to refer during schema 
development to the context of the predicates to be transformed. 

6 Unification of Schemata 

Unification is the essential component of the Prolog execution strategy. A higher- 
order matching algorithm is also an essential component of the application of 
schemata to programs, during which patterns in the schema must be matched 
to parts of the Prolog program which are to be transformed. When we are 
constructing correct transformation schemata, unification is again essential, to 
allow us to apply abstract versions of the familiar program transformation steps 
of fold, unfold etc. This unification is an extension of the matching used when 
applying schemata to programs. 

In the next section, we outline a higher-order unification algorithm for pro- 
gram patterns. The generality of this algorithm allows us to define very powerful 
equivalents on program patterns of the fold and unfold program transformations, 
but this generality also means that we have to be quite careful how we define 
them. 



6.1 There Is No Single Most General Unifier 

The principal problem is of how to unify two terms which consist of a mixture of 
goal (or argument) vectors and predicates (or functions). If we consider vectors 
of goals to be lists, and single goals to be singleton lists, then the separating 
comma can be considered as the list append operation. Unification of goal pat- 
terns then involves unification of lists modulo the associative append operation. 
Associative unification is discussed in p309]. A decision procedure exists to 
determine whether two terms are unifiable, but there may be an infinite number 
of most general unifiers (mgus). For example, p{X)^{X,a) and p{Y),q{a,Y) 
unify producing an infinite sequence of substitutions lil 

{a/X, a/F}, {(a, a)/X, (a, a)/F}, ..., {a^/X, a^/Y }, ... 

Usually, however, we expect only a finite set of most general unifiers, and may 
raise an error condition if there are too many unifiers to process. Often, we only 

^ Substitutions are oriented such that applying a substitution {X/Y} to Y yields X. 
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need the first unifier which is returned by the algorithm, and need not consider 
other possible unifiers. When this is not the case, we may be able to rank the 
unifiers according to some measure and only use the best one. We will come back 
to the problem of multiple unifiers later. 

6.2 The Unification Algorithm 

Unification proceeds left-to-right. We allow terms in which function and pred- 
icate symbols may be variables. We have implemented such a unification algo- 
rithm, which is presented in appendix 0 As an example, consider the problem 
of unifying G2, Q(A), G3 with i?2, Q(U), i?3, given the substitution a. There are 
four possible distinct ways to partition the goals and vectors between the two 
terms: 

1. H2 = G2. Add the substitution {G2/H2} to cr, and try to unify Q(A),G3 
with Q(T), H^. 

2. H2 = G2,D2 where D2 is nonempty. Add the substitution {(G2, U2)/i?2} 
to CT, and try to unify (5(A), G3 with D2, Q{Y),H3. 

3 . G2 = H2,D2 where D2 is nonempty. {{H2, D2)/G2} to cr, and try to unify 
D2,Q{X),G3 with Q(r),7?3. 

4. Otherwise. The two terms do not unify. This branch of unification fails, and 
the algorithm backtracks. 

In the example above, there are 5 unifiers: {H2, Q{Y),H3), {H2, (5(U), (5(A), G3), 
(i?2, Q{Y),D 3 , Q(A), G3), (G2, Q(A), Q(A), i?3) and (G2, Q(A), ^3, Q{Y),Hs). 

7 Transformation Operations on Program Patterns 

Theorem 14 of [HI describes how the transformation rules of leftmost unfolding, 
deterministic non-left propagating unfolding, Tamaki-Sato folding, Tamaki-Sato 
definition and definition elimination can be used correctly to transform a definite- 
clause program under the pure Prolog semantics. In this section we show how to 
define versions of these operations on program schemata. We concentrate on the 
fold and unfold, only outlining the case for the other transformations. The exam- 
ple of appendix 0 uses these operations to develop an example transformation 
schema. 

7.1 Schema Initialisation, Clause Addition, Specialisation 

Schema development starts with a completely blank program pattern. Three op- 
erations are provided whose main purpose is to introduce sufficient structure into 
the program pattern to give the operations of folding and unfolding something 
to work with. These operations are: initialisation, clause addition, and special- 
isation. Initialisation throws away any current schema development and starts 
again from the blank pattern. Clause addition appends a new clause pattern 
iJ <— T to the program pattern. There are two types of clause specialisation: 
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pattern instantiation unifies a chosen subterm of a clause pattern with a user- 
specified pattern term, and division splits a chosen argument or goal vector in a 
clause into two. 

Although each of these operations can be applied at any time during devel- 
opment, applying one of them to a program pattern P to give a new program 
pattern P' resets the source program pattern to P' . It is therefore preferable to 
apply them only at the beginning of a schema development. 



7.2 Abstract Unfold 

Care Is Needed with Unification 

We would like the abstract unfold operation on program patterns to mirror 
the concrete unfold operation on programs, as described in [B, p.284]. At first 
sight, we can say that to apply an abstract unfold operation to an atom A in 
an abstract clause, c: H ^ L, A, R using abstract clauses ui : Hi ^ Ti, ..., : 

Hn <— Tn, we replace c by n clauses ci, ..., c„ defined by Ci : H6i ^ (L, Ti, R)0i 
where for each c^, 6i is a most general unifier such that A6i = Hi9i, plus abstract 
versions of the concrete unfold correctness conditions, in particular that the 
unfold be non-left propagating^ This means that the atoms to the left of the 
Ti in the new clauses Ci must be variants of (i.e. identical up to renaming) the 
atoms to the left of A in c. 

Unfortunately, the definition above has several problems. As noted in ^b. It 
there may be more than one mgu for each unification problem. Each such mgu 
makes certain commitments in the transformed program. We cannot use all 
the mgus, since they are not in general disjoint, and so doing would introduce 
repeated solutions. Therefore we must pick one mgu for each unification. 

Picking one unifier (and hence one set of commitments) from several possibil- 
ities means that the resulting transformation schema may be a program special- 
isation, not an equivalence. In order to prevent specialisation of the transformed 
program, we must apply the unifier to both the source and the target pattern. 
How can we do this when there are multiple clauses with which to unfold? The 
choice of unifier we make when unfolding with each of the clauses will generally 
be incompatible. For example, when unfolding an atom p{A, K, B) using a clause 
with head p{W,cons{H,T), Z) we are faced with a choice of unifiers like those 
in §6.21 

The solution we adopt here to ensure that we do not pick incompatible uni- 
fiers for the unfolding clauses is to generalise the heads of the unfolding clauses 
Ui so that they are identical, and insert appropriate equality atoms explicitly 
into the bodies of the clauses. This allows us to pick a single unifier for all the 

Ui. 



^ As the example of 0 [Example 14] shows, left-propagating unfolds can change the 
order of the returned answer substitutions, so we must disallow them. 
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The Abstract Unfold Operation 

For an example of the application of the unfold operation defined in this 
section, see appendix B. To resolve the problems outlined above, we unfold a 
clause c : P <— L, using clauses u\ \ Hi ^ <— T„, in the 

following steps: 

1. Generalise the Hi to H such that the arguments of H are variables or vectors. 
Let Oi be an assignment of values to these arguments so that HOi — Hi. In 
order to ensure that each 9i is unique, the unification is made deterministic 
by disabling rules (0 and (0 of Appendix ^ which disallows substitutions 
of the form {{)/ vector} or {{vector, vector) / vector} . Each substitution 6i is 
expressed as a list of equation^ Aj = E}- 

2. Find an mgu 0 such that A0 — HO. This is the only point in the unfold 
step at which we must make a choice of unifier, and making this choice 
necessitates the next step. 

3. In the source, replace clause c with c' : P0 ^ L0, A0, R0. In certain special 
cases, this may not be necessary. See the explanatory note in the paragraph 
at the end of this section. 

4. In the target, replace clause c with n clauses: 

c, : P0^{X[ = El,..., XI = El)0,L0,T,0,R0 

5. For each Ci, eliminate any intermediate variables and vectors which were in- 
troduced by the unification algorithm, i.e. were not present in c or ui, ..., Un. 

In accordance with p.284], we require the following conditions to hold: 

1. u\,...,Un constitute one entire predicate definition — the program to be 
transformed contains no clauses apart from u\, ...,Un which define the same 
predicate, and these are all the clauses which define the predicate. 

2. In addition, either: 

(a) L = {) — the unfold is a leftmost unfold, or 

(b) the unfold is non-left propagating. This condition can only be checked 
when the pattern has been instantiated by matching with a program 
fragment, so for each Ci, a term nonJeft-propagating(c,A,Ci) is added to 
the set <P of transformation conditions. 

By applying the unifier 0 to the source pattern as well as to the target, we 
ensure that the resulting schema does not specialise the program to which it is 
applied. This disturbs the development history, and means that we must essen- 
tially start a new development with the new source pattern as the initial pattern. 

® Note that each of the unifying substitutions di must be converted to a list of equa- 
tions. The equations are unoriented, and this allows us to compose the 9i with the 
mgu 6, since applying 0 to an equation X = Y yields a new equation (which is 
later solved by unification in step (5) above) XO = Y9, whereas applying 0 to a 
substitution {X/Y} may not yield a valid substitution, e.g. when 9 = {f{a.)/Y}. 
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However, in the special case where 0 is only a renaming of c, no modification of 
the source pattern is necessary, allowing the development history to be retained. 
In the case that there is more than one possible unifier &, it is preferable to 
choose one which is a renaming where this is possible — this can be achieved 
by modifying the pattern unification algorithm to return renamings before other 
unifiers. In order to encourage the existence of renaming unifiers, it is important 
to try to develop enough structure in the pattern using the clause addition and 
specialisation operations before applying unfolding. 

7.3 Abstract Fold 

With folding, as with unfolding, we must take care not to specialise the trans- 
formed program. An example of the development of a transformation schema for 
loop fusion using folding and unfolding is contained in appendix B. 

The abstract fold definition mirrors that of Tamaki-Sato folding (definition 
R3 of jS] ) . There are a number of conditions which need to be checked to ensure 
that the fold is a correctness-preserving transformation: 

1. The folding atoms must be fold-allowing as described in Theorem 14 and 
Definition 7 of |^ . In order to keep track of which atoms are fold-allowing and 
which are not we must allow vectors to be marked with their fold-allowing 
status {true or false), and ensure that any unification which splits a vector 
into a number of vectors or atoms marks them with the same fold-allowing 
status as their parent. 

2. As stated in |0|, there is also a restriction on the substitution which unifies 
the body of the folding predicate with the folded atoms; suppose we are 
folding a number of atoms E in the body of a clause H ^ L,E,R using the 
body of a clause El' ^ G. li 9 is the unifying substitution, i.e. Ed = GO, 
then 9 restricted to the set vars{G) — vars{H') is a variable renaming whose 
image has an empty intersection with the set vars{H, L, H'9, R). In general, 
it is not possible to decide this until the schema is matched with a program, 
but there is a significant special case when vars{G) — vars{H') = {} which 
arises when all the vectors and object-level variables of the folding predicate’s 
body, G, also occur in the folding predicate’s head, H' . In this special case, 
the condition is trivially satisfied (clause c6 of Appendix B falls into this 
special case, for example). 

3. Folding generally requires that some states in the schema development will 
simultaneously contain both old and new predicates, and the two types of 
clause must be carefully distinguished to ensure correctness is guaranteed. 



7.4 Definition Introduction 

In order to develop powerful transformations such as loop fusion, it is necessary 
to be able to apply the definition introduction rule. We use the Tamaki-Sato 
definition rule described in p] R15], which allows a new clause to be introduced 
as long as its head is a predicate which does not already occur in the program. 
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and the literals in its body are made from predicates which are already in the 
program. 



8 Transformation Correctness Conditions 

Application of a schema development operation entails checking certain correct- 
ness conditions. These conditions can be partially checked while the schema 
development is taking place, but there is always a residual condition which can 
only be checked when the schema is applied to a program. For example, suppose 
we need to ensure that a certain clause is not recursive. This means checking 
that there is no goal in the body of the predicate with the same predicate (and 
arity) as the head of the predicate. For the following clause, it is easy to verify 
that this condition does not hold: 

P{X)^G,P{Y),H 

If, however, we replace P{Y) in the body by Q{Y), we cannot be certain. We 
cannot say immediately that the condition does not hold, but there is a residual 
which must be checked whenever the resulting transformation schema is applied 
to a program, namely that P is not equal to Q, and that P does not appear in 
G or P[. 

The way in which the correctness conditions are expressed will be an im- 
portant factor in ensuring the correctness of a schema development system. For 
example, for each schema development operation there could be a correspond- 
ing Prolog predicate. This simplifies the implementation of the correctness con- 
ditions (they are just pieces of Prolog code), but is unsatisfactory for several 
reasons: 

1. ensuring the correctness of the schema development system is then made 
difficult, because it depends on the correctness of these checking predicates, 
and 

2. it is difficult to perform reasoning about Prolog predicates. 

The preferable alternative is to express these conditions using logical formulae 
containing a small number of primitives such as subterm{X, T) — A is a subterm 
of T, vars{T, V) — P is the set of variables in term T etc., connected by logical 
connectives (universal and existential quantifiers, conjunction and negation). 
This not only permits a high degree of confidence in the correctness conditions, 
but the finer grain and logical nature of such a language also makes it possible 
to perform some reasoning with the conditions. 

9 Implementation 

The unification algorithm, and simplified versions of the fold and unfold oper- 
ations have been implemented in Sicstus Prolog. Some correctness conditions 
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are enforced, but many more need to be added. A text-based user interface al- 
lows the user to apply the abstract schema development operations discussed 
in this paper, and allows schema developments to be loaded and saved. Output 
of pattern terms is easily achieved with suitable definitions of the portray/ 1 
predicate. Input is more tricky, since we would like to be able to input higher- 
order terms in a natural way. For example, the term P{L, A, R) is represented 
internally as pred(varCp) , [vec(’A’ 1) ,var(a) ,vec(’A’ ,_,r)] ), and both 
portrayed and input as P (A1 : A , Ar : _) . This is achieved by reading input into a 

string, which is then parsed by a DCG. Vector lengths are represented by Prolog 
variables, and Prolog handles their unification. 



10 Exploiting Predicate Termination Information 

One of the problems we encounter when constructing transformations which are 
correct under the pure Prolog semantics is that we must take care to preserve the 
termination behaviour of predicates. This means that we cannot simply prune 
a clause such as because if G\ or G 2 does not terminate, then nor will c, 
whereas the pruned version (in which the entire body is replaced by “fail”) fails 
finitely. 

c : Gi,G2,1 = 2,G3. (3) 

This can be overcome either by allowing the transformation of infinite to 
finite failure, or by exploiting the termination properties of predicates when the 
transformation schema is applied. It is expected that many useful transformation 
schemata will require information on the termination properties of the predicates 
to which they are applied. 

The termination properties of some predicates are already known, for exam- 
ple arithmetic goals, unification and test predicates. More generally, determining 
termination properties of predicates is a problem which has already been ad- 
dressed by several researchers. For example termination properties are heavily 
used in the Mercury system p]. The simplest approach is to allow the user to 
annotate predicate definitions to indicate termination properties. Termination 
may be established only for certain modes of a predicate. Modal inference and 
annotation would therefore be another useful extension. 



11 Laws 

The application of laws is essential to many transformation techniques. For ex- 
ample, the associativity of append is necessary for the transformation of naive 
reverse into the tail-recursive version. Laws can be represented using program 
patterns. For example, associativity can be represented as below, and declaring 
a predicate to be associative corresponds to a particular instantiation of P: 



P{A, P, T), P(T, G, E) = P{B, G, V),P{A, V, E). 
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12 Further Work 

There are many directions for further work. First and foremost, it is necessary to 
prove the correctness of the abstracted unfold operation, fully define and prove 
correctness conditions for the abstracted fold operation, define a flexible mech- 
anism for applying laws, and extend the implementation accordingly. Following 
this, further schema transformation operations can be developed, for example a 
pruning operation, as described in £ll 1 )l 

Vector lengths can be used very effectively to reduce the number of solutions 
returned when two patterns are unified. Currently only equality relationships 
between vector lengths can be expressed. In particular, if a vector V :L\ is unified 
with a pattern Xi:Mi,X 2 '-M 2 , we cannot express the fact that Li = Mi + M 2 - In 
1^, vector lengths can be constrained using =,=< inequalities, but in the light 
of the above example, we could go further and extend the system to represent 
and solve such constraints, which are problems in Presburger arithmetic and 
therefore decidable. 

It may be useful to introduce some automatic guidance into a schema devel- 
opment system, which may suggest strategies such as generalisation or tupling 
when appropriate. Proof plans (21 may be suitable for this. Indeed, we can view 
the schema development operations as tactics, in which case it is natural that 
proof plans should provide the meta-level. 

It is also important to study the expressiveness of the resulting transforma- 
tion schemata. The lack of induction in schema development operations is likely 
to be one source of these restrictions. 

13 Conclusions 

In this document we have proposed a technique for developing correct trans- 
formation schemata for Prolog programs. Correct transformation schemata are 
constructed by applying a sequence of development operations. A transforma- 
tion is correct if when it is applied to a program, it yields a new program which 
is equivalent to the original one under the pure Prolog semantics. This means 
the program must be negation and cut-free. 

The system is based on a higher-order unification algorithm for schema terms. 
The schema development operations, which are abstract equivalents of the clas- 
sical fold/unfold etc. transformation operations, are defined in terms of this 
unification, and conditions are defined to ensure their correctness. These condi- 
tions can be partially checked during schema development, but generally leave 
a residual which can only be checked when the schema is applied to a program. 

We have implemented the higher-order unification algorithm, and a simplified 
version of some of the transformations. 
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A The Schema Unification Algorithm 

In the following presentation, Var denotes an object-level variable, V:l repre- 
sents a vector with length I, Atom denotes an atom, P{A) represents a function 
or predicate with head P and arguments A. For brevity, it is assumed in this 
presentation that atoms, predicates, functions or object-level variables can be 
freely converted to vectors of length 1 . 

B=„A 

A=,B 



P —ai Q, AiUi — cr 712CT2 


Var ^ P{Ai) 


P(Ai) QiM) 


p(Ai) = -r Var 

{P(Ai)/Var} 


Atom ={} Atom 


AtOTfl {^AtomlV av^ CIT 


V:l = , ,T7 , Atom 


V:l = jT Var 


{Atom/ 1} 

v-.l ^ P(A) 


[Var /V, 1=1} 




Vq,T\ {Vari/Var^} ^^^2 


1 


j = 1, k{i^j) = 0, y =cr 


V I'.h ={Vi/V2,h=h} V 2'h 


(Vr.h,...,Vk.lk) =o P(A) 


= 1; 


= 0, VfA =„ Var 


{V I'.li, ..., 


Vk'lk) =<j Var 



Elih = n 

3 X,n. {X:n, V2-h, ■■■,Vk'lk) =a {W2-m2, ...,W j-.mj), mi + n = h 
iVi:h,...,Vk:lk) ={(Pp^X)/Fi}o<t iWi-.mi,...,Wfmj) 

{V Vk-lk) =<j {Wi'.mi, ...,W j-.mj) /i = 0 
{Vl'.ll, Vk'-lk) ~{Q/Ui}0(T ) 



( 5 ) 
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B Fold/Unfold Example 

We now present a modified version of the tupling example from §2 of 0. Vectors 
and atoms which are not fold-allowing are underlined. 

B.l Initial Program Schema 

We start with a program Program with clauses as follows: 

_ 

cl : P(Vi) ^ Pi{Yi,L,Y 2 ),P 2 {Zi,L,Z 2 ),R. 
c2 : Pi{Ai,nil, A 2 ) ^ . 

c3 : Pi{A 3 ,cons{Hi,Ti),A 4 ) ^ Pi{A 5 ,Ti, Aq). 
c4 : P 2 {Ar,nil, As) ^ . 

c5 : P 2 {Ag, cons{P[ 2 ,T 2 ) , Aio) ^ P2(^ii, ?2, 7I12), ^(^13). 

Note that when a schema pattern is finally matched to a fragment of Prolog 
program, different instances of the same schema variable name must match with 
Prolog-unifiable pieces of the program, so we must be careful to ensure that 
schema variable names are different where we do not wish this to be the case. 

B.2 Schema Development 

Define a new predicate with the first two atoms from the body of cl. The 
new predicate should have the same arguments as the atoms in its body, al- 
though we are free to reorder them and remove repeated occurrences as we see 
fit. The new predicate name must not already be in use, so (Pg = {New ^ 
{x^, cl, c2, c3, c4, c5, x^}}- The new predicate name is instantiated when the 
schema is applied to a program. 

c6 : New{L,Yi,Y2,Z4,Z2) ^ Pi(Fi, £,^2) , P2(^i, T, ^2) - 

Fold the first two atoms of the body of cl using c6. Since c6 is a new predicate, 
and cl is old, the fold is allowed. The unifier is trivial so there is no specialisation. 

c7 : P(Xi) ^ New{L,Yi,Y 2 ,Zi,Z 2 ),R. 

Unfold the first literal of c6 using c2 and c3. Since this is a leftmost unfold, it is 
correct as long as we follow the five unfolding steps defined in ^ 

1. Generalise the heads of the unfolding clauses (c2,c3): 

n = Pi(Bi,M^ 2 ) 0 i = 1 ^ 2 / 52 } 

A = Pi(Vi, P, V2) 02 = {L/M, Y4lB4,Y2{B2i 



Development of Correct Transformation Schemata for Prolog Programs 279 



2. Find 0 such that AO = HO. Here, we can choose O = {Bi = Yi,M = 
L,B2 = Y2}. Other possible unifiers correspond to cases where the list L 
appears more than once in the head of P\ or in the first literal of c6. 

3. Apply O to the source predicate c6. Since 6> is a renaming, this step is trivial 
and the development history is undisturbed. 

4. Produce the new clauses, (c8,c9): 

c8 : New{L, Yi,Y2,Zi, Z2) ^ {M = nil, Ai = Hi, A2 = B2), 
P 2 (Zi,L,Z 2 ) .{M = L,Bi = Yi,B 2 = F2} 
c9 : New{L,Yi,Y2, Zi, Z2) ^ {M = cons{Hi,Ti), A^ = Hi, A4 = B2), 
Pl(A3,r,A4),P2(Fi,M,Z2).{M=£,Hi =Fi,H2 =F2} 



5. Solve the introduced equations. This gives: 

c8' : N ew{nil ,Y i,Y 2, Z i, Z2) ^ Ai = Y i, A2 = Y2, P2{Zi,nil, Z2). 
c9' : New{cons{Hi,Ti),Yi,Y2,Zi,Z2) ^ A3 = Fi, A4 = F2, 

Pi{A 5 ,T, Ae), P2{Zi,cons{Hi,Ti), Z2) . 

Now we unfold the newly introduced clauses (c8',c9') using (c4, c5). 

First unfold c8' using (c4, c5): 

n = P2(Ci,N,C2) ei = {Ar/Ci,nil/N,As/C^ 

A = P2{Zi,nil,Z2) 02 = {AQ/Cucons{H2,T2)/N,AwlC2} 

Find O such that AO = HO. One possible unifier is {ZilCi,niljN, Z2IC2}- 
This is a renaming of the unfolding atom, so no program modification is neces- 
sary. 

Apply 0 to c8' and produce the two new clauses: 

clO : New{nil,Yi,Y2,Zi,Z2) ^ (A7 = Ci, Ag = C2, = nil), Ai =Fi, 

A2 = F2, {Fi = Cl, nil = N,Z2 = C2}. 

cll : New{nil,Yi,Y 2 ,Zi,Z 2 ) ^ (Ag = Ci, cons(i72, T 2 ) = TV, Aio = C 2 ), 

Ai = Fi, A2 = F2, {Fi = Cl , ml = N,Z2 = C2,} 

Clearly the body of cll contains an inconsistent substitution and so is finitely 
failing and can be omitted from the final program. 

Since Ci, C2 and TV do not appear in the original program schema — they 
were only introduced during the pattern unification process — we can eliminate 
them from clO above to give: 

clO^ : N ew(nil , Y \,Y 2, Z\, Z2) < — Zi = A7, Z2 = Ag, Ai = Yi, A2 = Tg- 
Next, unfold c9': 

H = P 2 {Ci,N,C 2 ) _ ei = {Ar/Ci,nil/N,M/C 2 } 

A = P2{Zi,cons{Hi,Ti),Z2) 02 = {Ag/Ci, cons(iV2, T2)/TV, A 10 /C 2 } 
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Find 0 such that A 0 = HO. One unifier is {Zi/Ci, cons(iJi, Ti)/iV, Z2/C2}. 
This is a renaming of the unfolding atom, so no program modification is neces- 
sary. 

Apply 0 to c 9 ' and produce the two new clauses: 

cl 2 : New{cons{Hi,Ti),Yi, Y2, ^1, Z2) ^ (A7 = Ci,nil = N, 

As = C2),A3 = Yi,A^ = Y 2 , Pi{As,Ti, Aq),{Zi = Ci, 

N = cons{Hi,Ti),Z 2 = 02}. 

cl3 : New{cons{Hi,Ti),Yi,Y 2 , Zi, Z 2 ) ^ (Ag = Ci, cons(i? 2 , 72) = N, 
Aio = O2), A3 = Ti, A4 = F2, 7 ’i(A 5 , Ti, As), P 2 (Aii, Tg, A12), 
F(Ais),{Zi = Ci,N = cons{Hi,T^),Z2 = C 2 }. 

Clearly the body of cl 2 contains an inconsistent substitution and so is finitely 
failing and can be omitted from the final program. 

As before, we can eliminate the variables C\, C2, and N which were intro- 
duced during the pattern unification process. 

cl 3 ^ : New(cons{Hi^ 7 i), Yi,Y2-, Z\, Z2) < — Z\ = Ag, Hi = H2, T\ = Tg, 

Z 2 = Aio, A3 = Ti, A4 = 1 ^ 2 ) Cl (As, Ti, Ag), P2 (Aii, Ti, A12), P(Ai3). 

Now we fold cl 3 ' using c6'. As noted in the second item of we must check 
the unifying substitution. In general this condition can only be checked when 
the schema is instantiated with a Prolog program, but in this case we can easily 
see that vars{bd{cd>)) — vars{hd{c(S)) = {}. We produce the new clause: 

cl 4 : New{cons{Hi,Ti),Yi,Y2,Zi,Z2) ^ Zi = Ag,Pi = H2,Ti = T2, 

Z2 = Aio, A3 = Yi,A 4 = Y2, New{Ti, Ag, Ag, An, A12), P(Ai3). 

The final program is made up from clauses c 7 , clO', cl 4 , c 2 , c 3 , c 4 , c 5 . By tracing 
through the substitutions we can eliminate the intermediate variables introduced 
in the presentation above to produce an equivalent list of clauses using variable 
names from the original schema: 

c 7 : P(Xi) ^ New{L,Yi,Y2,Zi,Z2),R. 

clO' : N ew{nil, Yi,Y2, Z\, Z2) < — Z\ = A7, Z2 = Ag, Ai = Ti, A2 = Pg- 
cl 4 : New{cons{Hi,Ti),Yi,Y2,Zi,Z2) ^ Zi = Ag,Hi = H2,Ti = T2, 

Z2 = Aio, A3 = Pi, A4 = Y2, New{Ti, As, Ag, An, A12), P(Ai3). 
c2 : Pi(Ai,ml,A2) ^ . 

c 3 : Pi(A3,cons(Pi,Pi), A4) ^ Pi(As, Ti, Ag). 
c 4 : P2{Ar,nil, As) ^ . 

c 5 : P2(Ag, cons(i72, P2), Aio) ^ C2(An, T2, A12), P(Ai3). 

The transformation schema is made up of the initial and final schema patterns. 
Note that the schema we have derived has some generality. For example, the 
use of vectors in the heads of Pi and P2 means that we do not require the list 
argument to be in any particular position. 
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B.3 Application of the Schema to a Program: An Example 

Consider the program from [3|[p.264]: 

cl : average{L, A) <— length{L, N), sumlist(L, S),div{S, N, A). 
c2 : length(nil,Q) <— . 

c3 : length{cons{Hl,Tl), s{Nl)) <— length{Tl, Nl). 
c4 : sumlist(nil,Q) <— . 

c5 : sumlist{cons{H2, T2), S'!) <— sumlist(T2, S2), sum{H2, S2, SI). 
Matching the input schema with the program above gives: 



P = average 


Pi = length 


P 2 = sumlist 


3l = () 


to 

II 

O 


^3 = 0 


J4 = s(Nl) 


^5 = 0 


Aq = NI 


M = {) 


As = 0 


^9 = 0 


^10 = 'S'l 


All = 0 


Ai 2 = 52 


Ai3 = (P2,52,51) 


R = div{S, N, A) 


Ai = (L,A) 


^1 = 0 


Fa = A 


Zi = {) 


II 


L = L 


Hi = HI 


to 

II 

to 


Tl = Tl 


II 

to 





Applying this substitution (omitting trivial variable assignments) to the final 
program schema gives the following program, as expected: 

c7 : average{L , A) <— new{L, N, S), div{S, N, A). 
clO : new{nil, N,S) <— 5" = 0, A = 0. 

cl4 : new{cons{Hl, T1),N, S)^ HI = H2, Tl = T2, s{Nl) = N,S = SI, 

new{Tl, Nl, S2), sum{H2, S2, S'!). 

c2 : length{nil,0) ^ . 

c3 : length{cons{Hl,Tl), s{Nl)) <— length{Tl,Nl). 
c4 : sumlist(nil,0) <— . 

c5 : sumlist{cons{H2, T2), 51) ^ sumlist{T2, 52), sum{H2, 52, 51). 
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Abstract. Regular approximation is a well-known and useful analy- 
sis technique for conventional logic programming. Given the existence 
of constraint solving techniques, one may wish to obtain more precise 
approximations of programs while retaining the decidable properties of 
the approximation. Greater precision could increase the effectiveness of 
applications that make use of regular approximation, such as the de- 
tection of useless clauses and type analysis. In this paper, we introduce 
arithmetic constraints, based on convex polyhedra, into regular approxi- 
mation. In addition, Herbrand constraints can be introduced to capture 
dependencies among arguments. 



Keywords: regular approximation, linear constraints, convex polyhedra. 

1 Introduction 

Regular approximation is a program analysis technique sometimes identified 
with “type inference” . Type inference is the process of determining the type of 
program units. Type systems are designed to allow the programmer to describe 
the set of intended values that an argument can take. 

Regular approximations are not true types, but rather syntactic descriptions 
of the success set of programs. Thus the word “type inference” is not strictly 
correct although for definite logic programs the concept of “type” and success set 
of predicates coincide quite closely for practical purposes. The practical useful- 
ness of regular approximation is to provide a decidable description of the set of 
terms that can appear in each argument position in correct answers. In previous 
work on regular approximations, or the closely related concepts of (rigid) type 
graphs, sets of terms are given by recursive descriptions which are essentially 
deterministic finite automata. Certain built-in sets such as numbers can be in- 
cluded in the descriptions. It is possible to improve on the precision of regular 
type description, departing from strictly regular description, without losing de- 
cidability. One such method will be explored in this paper, namely, the addition 
of constraints to regular descriptions. 
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The class of regular unary logic (RUL) programs was defined by Yardeni and 
Shapiro m- They define a class of types called regular types, and show the 
equivalence between regular types and RUL programs. They represent regular 
types by Deterministic Finite Automata (DFA) and use tuple distributive closure 
for types as defined by Mishra M- Their formalism for describing sets of terms 
is adopted in [^, and also followed in m and ra as extensions of 0 . In 0| 
Gallagher and de Waal define an efficient regular approximation framework. All 
procedures they define such as upper bound and intersection, handle programs 
whose clauses are in a special, restricted form (RUL clause). This form is given 
in the following definition. 

Definition 1. A (canonical) regular unary (RUL) clause is a clause of the form 

^0 (/*(^1 ; ■ • ■ 1 ^n) ) ^ (xi ) , . . . , 71 Y 0 



where xi, ... ,Xn are distinct variables. 

By relaxing Definition Q we make an extension to the notion of regular ap- 
proximation, by allowing arithmetic and Herbrand constraints in the bodies of 
regular clauses. This permits us to capture dependencies between the arguments 
of terms, and also, in certain cases, to capture dependencies between arguments 
at different levels of a term. For example, we can capture dependencies between 
successive elements of a list, or every other element of a list by imposing a 
suitable depth bound. 

2 Constrained Regular Approximation 

In order to achieve the aforementioned extension, the general form of a con- 
strained regular unary clause can be given as follows. 

Definition 2. A constrained regular unary (CRUL) clause is a clause of the 
form 



to{f{xi, ..., Xn)) ^ C, ti(xi), ..., tn(Xn) 71 > 0 

where Xi, ... ,Xn are distinct variables and C is a conjunction of constraints 
projected onto xi, . . . ,Xn. 

Note that we usually use sets to deal with conjunctions; in the definitions 
below, a set of some syntactic objects, if any, stands for a conjunction of the 
syntactic objects. 

Example 1. The following clause is a constrained regular unary clause. 



sorted{[X\Y\) = [Z\W\^X < Z, sorted{Y). 
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Note that the constraints contain local variables Z and W . There is also an 
implicit unary atom any{X) in the body to fit the defined form, where any{X) 
is true for all X. 

Some definitions are next given to define the main operations and relations 
on CRUL clauses. 

Definition 3. Let t be a term and C a eonjunetion of eonstraints. A pair (t,C) 
is called a constrained term. Two constrained terms and (^ 2 ,^ 2 ) overlap 

if there is a substitution 6 such that both 

1. ti9 = t 20 , and 

2. C\9 and C 2 O are satisfiable. 

We say that two CRUL clauses p{ui) ^ Ci,ti(xi), . . . ,tn{x„) and q{u 2 ) ^ 
C 2 ,si{x\), . . . ,Sn{xn) Overlap if the constrained terms (ui,Ci) and (u2,C2) over- 
lap. 



Definition 4. CRUL program 

A constrained regular unary logic (CRUL) program is a finite set of con- 
strained regular unary clauses in which no two (standardised apart) clauses over- 
lap. 



Definition 5. Let P be a definite program and P' a CRUL program containing 
a special unary predicate approx/1. Assuming a fixed interpretation of constraint 
predicates and functions and Herbrand interpretations of the other predicates and 
functions, let M{P) be the least model of P. Then P' is a constrained regular 
approximation of P if M{P) is contained in the set { A | approx{A) G M{P') }. 

Note that, as in |^, in using approx /I we abuse notation by confusing predi- 
cate and function symbols. Using the approx predicate allows us to restrict atten- 
tion to CRUL programs. Often it is omitted and a clause approx{p{x \, . . . , Xn)) 
^ C,pi(xi), . . .,p„(xn) is written as p(xi , . . . ,x„) ^ C,pi(xi), . . . ,p„(xn). 

Definition 6. Let p be a predicate. Then, in the context of some program P, 
procfp) is the set of all the clauses in P whose head contains p. 



Definition 7. Let p be a predicate. Then, in the context of some program P, 
def{p) is the set of all the clauses in P defining p, including subsidiary defini- 
tions. Formally, 

def{p) = procfp) U Ul def{q) I q occurs in procfp) } . 
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2.1 Operations on Constraints and CRUL Programs 

We approximate arithmetic constraints using convex polyhedra since it seems 
to be the most interesting approach for general use, although there are other 
approaches such as affine sub-spaces, intervals, and signed inequalities mM, 

13], El. 

A convex polyhedron is characterised by a system of linear constraints. The 
set of solutions to a finite system of loose linear inequalities can be interpreted 
geometrically as a closed convex polyhedron of J?". The least polyhedron contain- 
ing this set is called its convex hull. There is no loss of generality in considering 
only loose linear inequalities since strict inequalities can be handled by adding 
an auxiliary variable e, 0 < e < 1 as shown in Qj. 

Least upper bound and widening operations over polyhedra are defined in 
P|. De Backer and Beringer introduced “linear relaxation” in ^ where explicit 
computation of the constraints defining the convex hull is not needed. The ex- 
pression is obtained by only adding new variables to the initial problem. Al- 
though it looks potentially expensive, it is easy to implement for computing the 
least upper bound of convex polyhedra P| . 

A predicate can be given a constrained regular definition. The clauses of the 
predicate require some form that allows operations to be efficiently performed. 
Moreover terms in constraints having unbounded depth increase the difficulty of 
defining a terminating fixpoint computation (see Section im . A depth bound 
is needed to put an upper bound on the size of CRUL programs. This helps to 
ensure termination of the approximation procedure. 



Definition 8. constrained regular definition of a predieate 

Let p be a unary predicate. A constrained regular definition of p for some 
depth k is a constrained regular unary program whose clause heads all have pred- 
ieate p, and where the maximum depth of terms in the eonstraints is k. 



Intersection of regular unary predicates is required in order to produce CRUL 
clauses. Let ti{x),t2{x) be a conjunction. We compute a new predicate r = 
ti n ^2 such that Vx(<i(a;) A t2{x) ^ r{x)). 

To simplify the presentation, let us assume that the CRUL clauses contain 
only Herbrand and linear arithmetic constraints in their constraint parts. That 
is, each CRUL clause is of the form p{f{xi, . . . , x„)) ^ H, A,pi(xi), . . . ,Pn{xn) 
where H and A are conjunctions of Herbrand and arithmetic constraints respec- 
tively. We assume that H is of the form {vi = ti,...,Vk = tfc} where no Vj 
occurs in t\, . . . fiu- 



Definition 9. intersection of constrained regular unary predieates 

Let p and q be unary predicates with eonstrained regular definitions proc(p) 
and proc(q) respectively. Then their intersection pfi\q is defined by a predicate 
r with constrained regular definition given as follows. 
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/ 

r{t) ^ mgu{Hp,Hq), 


for each t such that 


Ap A Aq^ 


p{t) ^ Hp,Ap,pi{xi),...,Pn{xn) and 




q{t) ^ Hq,Aq,qi{xi),...,qn{Xn) 




occur in proc(p) and proc(q) respectively. 




Ap A Aq is satisfiable and 


^ n (^n) 


{t,Hp),{t,Hq) overlap. 



where Vi = Pif]qi, and Hp, Hq are sets of Herhrand constraints, Ap, Aq are sets 
of arithmetic constraints, and mgu{Hp, Hq) is the set of equations in the solved 
form of Hp U Hq . 

An upper bound operation for CRUL predicates will be defined to reduce 
the number of clauses in the definition of a predicate by merging overlapping 
ones. To form the upper bound of two CRUL predicates, definitions for both 
predicates including the definitions of the subsidiary predicates in the bodies of 
the clauses defining the predicates are needed. We can separate the construction 
of upper bound of predicates into two parts. One of them is the construction of 
the constraint part and the other one is the construction of the regular part. Let 
us first give some definitions to define the upper bound of the constraint parts. 

Definition 10 . generalisation of terms 

Let ti and O be two terms. Then a term t is a generalisation of the terms ti 
and O if there exist two substitutions 9 \ and 62 such that tOi = ti and f02 = O- 



Definition 11 . most specific generalisation of terms 

Let t be a generalisation of the terms t\ and t2 ■ Then t is the most specific 
generalisation of t\ and t2, denoted msg{t\,t2), if for any generalisation t' oft\ 
and t2, there exists a substitution & such that t'6' = 



Definition 12 . most specific generalisation of set of equations 

Let Hi = {xi = ti,...,Xn = tn} and H2 = {yi = si,...,ym = Sm}- 
Let zi,...,Zk be the variables that occur on the left hand side of equations in 
both Hi and H2, say zi = ti, . . . ,Zk = H in Hi and zi = si, . . . , Zk = Sk in 
H2- Then msg{Hi, H2) is the set of equations {zi = ri,...,Zk = rk\ where 
(ri,...,rfe) = msg{{ti,...,ik),{si,...,Sk)). 

Note that we usually use sets to deal with conjunctions; in the above defi- 
nition a set of some syntactic objects stands for a conjunction of the syntactic 
objects. 

Definition 13 . upper bound of constraints 

Let (Hi,Ai) and (H2,A2) be conjunctions of Herbrand and arithmetic con- 
straints. Then an upper bound (H,A) denoted {Hi, Ai)\_\{H2, A2) is computed 
as follows. 



Constrained Regular Approximation of Logic Programs 287 



begin 

H ■= msg{Hi,H2) 

9i := mgu{H, Hi) 

02 := mgu{H, H 2 ) 

while 3 yilv,yklv € Oi,i ^ k,v occurs in Ai 

01 ■■= 9\ - {Vk/v} 

Ai := Ai U {yi = yk} 

end 

while 3 yj/w,yi/w G 02 , j ^ l,w occurs in A2 

02 := 02 - {yi/w} 

A2 := A2 U {yj = yij 

end 

Pi := {vlyijyijv G 0 i,v is a variable} 

P2 ■= {w/yj\yj/w G 02 , w is a variable} 

A := CH{Aipi, A2P2) 

end 

where CH{Aipi, A2P2) is the convex hull computed from the conjunctions of 
arithmetic constraints Aipi and A2P2- 



The purpose of this construction is to compute the most specific generalisa- 
tion (msg) of the Her brand constraints, and then derive suitable renamings for 
the arithmetic constraints to make them compatible with the variables in the 
msg. During this process, aliasing among arithmetic variables which is lost in 
the msg is recovered, and added as arithmetic equalities. Finally the convex hull 
of the renamed arithmetic constraints is computed. 



Example 2 . Let (Hi,Ai) he X = f{Y,Y),Y > 0 and 
let {H2, A2) he Z = f{U, V),-U = V. 

Then 

msg{Hi,H2) = {Zi = f{Z2,Z^)), 

01 = {Zi/X,Z2lY,Zn/Y}, 

02 = {ZilZ,Z2lU,Z^lV}. 

At the end of the while loops, 

pi = {XlZi,YlZ2}, 

P2 = {ZIZI,UIZ2, V/Z^}, Ai = {r > 0, Z 2 = Z3} 

A2 = {-U=V}. 

Hence after applying the convex hull procedure CH(Aipi, A2P2), the result 
is 



(H,A) = (Zi = f(Z2,Z3),-Z2 < Z3). 
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Lemma 1 . LetC\ = andC2 = (i?2,^2) be conjunctions of constraints. 

Let their upper bound C = C1IJC2 be (H,A) = Ai) |J(_ff2, ^2)- Assume 
Hi and H2 are of the form x\ = ti,. . . ,Xn = tn and x\ = si,. . . ,Xn = Sn 
respectively, which implies we can assume that H is of the form xi = r\, . . . ,Xn = 

^ n ■ 

ThenWxi, . . . ,Xn y{Ci ^ CA C2 — > C). 

Proof. Outline. Let the upper bound C = Ci IJC2 be {H, A) = {Hi,Ai) \_\{H2, A2), 
where H = msg{Hi, H2) and A = CH{Aipi,A2P2), Pi and p2 being variable 
renamings as constructed in Definition ^3 

Then, V((iLi, Ai) ^ H) since H = msg{Hi, H2) is the most specific generali- 
sation of the conjunction of Herbrand constraints Hi and H2 where the variables 
in Hi, H2 and H are renamed to be the same. 

y{{Hi, Ai) — > Alpi) holds since the renaming pi only introduces fresh vari- 
ables. 

y{Aipi — > CH{Aipi, A2P2)) because CH{Aipi,A2P2) describes a polyhe- 
dron containing both Aipi and ^2^2- Hence ^ A). 

Then, since H and A are true independent of the truth of each other, 
V((iJi,Hi) ^ (H,A)) holds. Similarly, for (iL2, ^2), V((iL2, H2) ^ (H,A)) holds. 

Let us now define the upper bound of two CRUL clauses before defining the 
upper bound of two predicates. We denote the upper bound of two predicates t 
and s by t [J^ s, which will be defined in Definition m 



Definition 14 . upper bound of two constrained regular unary clauses 

Letp{u) ^ Hi, Ai,ti{xi), . . . ,tn{Xn) andp{u) ^ H2, A2,Si{xi), . . . ,Sn{Xn) 
be two overlapping clauses, with variables renamed so that the heads are identical. 
Then their upper bound is 

p{u) ^ H,A,ri{xi),. . . , rn{xn) 

where ri = U UpS* and {H,A) = {Hi,Ai)U{H2,A2). 

Next we show how to assign unique names to the upper bounds of predicates. 
This is done in order to ensure termination of the upper bound procedure. 

Let Pred = {pi, . . . ,p„} be a set of unary predicates. Define Pred'^ to be a 
set of 2 " — 1 unary predicates, including pi, . . . ,p„. Identify each element q of 
Pred'^ with a unique non-empty subset of Pred, denoted Name{q). 

The function Name is extended to upper bounds of predicates in Pred^, such 
that 

Name{qi Up 92) = Name{qi) U Name{q2). 

Thus for all qi,q2 & Pred'^, giUp92 is associated with a unique element of 
Pred'^, say qs where Name{q-i) = Name{qi) U Name(q2). 
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Intuitively, a set of predicates uniquely determines their upper bound, and 
so Pred'^ contains sufficient predicates to name each upper bound of predicates 
in Pred. 

We next define an operation that converts a set of CRUL clauses into a 
CRUL program, by successively removing overlapping clauses. First we define 
some simple operations. 

Definition 15. Let Pred he a set of unary predicates. Let r and t be predi- 
cates G Pred'^. Let s be the predicate such that Name{s) = Name{r\_\pt). Then 
merge{r,t) is the set of clauses obtained from proc{r) U proc(t) by replacing the 
predicates in the heads by s. 



Definition 16. Let r and t be predicates and R a set of clauses, merge ^{r,t) is 
defined to he: 

— 0, if R contains the predicate s such that Name{s) = Name{r) U Nameft); 

— merge{r,t), otherwise. 



Definition 17. normalisation of a set of CRUL clauses 

Let R be a set of CRUL clauses. Define norm{R) as follows: 

— norm{R) = R if R has no overlapping clauses; 

— norm{R) = norm{R—{Ci, C' 2 }U{C'}Umerge^(ti, si)U. . .\J merge fjitn, s„)), 

where Ci = Ax ^ Di, ti(xi), . . . , and C 2 = A 2 ^ £> 2 , ri(xi), . . . , 

rn{xn) are overlapping clauses in R, and C = C\ Uc^2. 

Informally, the norm operation removes a pair of overlapping clauses, and re- 
places them by their upper bound. This may introduce new clauses since the 
upper bound can contain new predicates; the operation is repeated until no 
overlapping clauses remain. 

Note that the use of the operation merge in the definition of norm is nec- 
essary to ensure termination of normalisation, since it prevents the addition of 
clauses for predicates already in the program. Without this operation it would 
be possible to reintroduce overlapping clauses that had previously been removed. 

Proposition 1. The operation norm{P) terminates. 

Proof. Let Pred be the set of predicates in P. We define a mapping from CRUL 
programs onto a well-founded set. Then we show that in the recursive equation 
in the definition of norm, the argument of the call to norm on the right is strictly 
less (with respect to the associated ordering on the well-founded set) than the 
argument of the call on the left. 

The well-founded set consists of pairs {N, V), where N , V are natural num- 
bers. The ordering is the lexicographical ordering, that is. 
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(iVi, Vi) < (iVa, V2) iff iVi < N2, or Nx = N2 and Vi < 

Let P = Pq; the computation of norm{P) gives rise to a sequence of calls 
norm{Po), norm{Pi), norm{P2), ■ ■ ■■ Define {Nj, Vj) as follows. Nj is the number 
of predicates in Pred^ that do not appear in Pj, and Vj is the number of clauses 
in Pj. 

Consider the relationship between Pj+i and Pj, which is given by the left 
and right hand sides of the recursive equation for norm. Either 

1. the number of unused predicates is decreased (in the case that some new 
predicates are introduced into Pj+i, by the mergcp. components); or 

2. the number of clauses in Pj+i is one less than the number in Pj (in the case 
that no new predicates are introduced). 

In both cases {Njpi,Vj+i) < {Nj,Vj). Since the relation < is a well-founded 
order, the sequence of calls to norm is finite. Note that the number of clauses 
can increase during the procedure, but only in the case when the number of 
unused predicates symbols simultaneously decreases. 

We can now use the norm operation to define the upper bound of two pred- 
icates. 



Definition 18. Let r and t he two unary predieates. Then the upper hound of 
r and t is given hy the predicate r|J t such that Name{r\_\pt) = Name{r) U 
Nameft) defined hy the clauses norm(R), where 

R = def{r) U defft) — proc{r) — proc{t) U merge{r,f) 



Also using the norm operation, we define the upper bound of two CRUL 
programs. 

Definition 19. The upper hound of two CRUL programs, P and Q, denoted 
P\_\prog Qt defined to he norm{P U Q). 



Example 3. The following program is used to give some idea of the operations 
defined. 



p([Xl|X2]) X2=[X3|X4], X1>=0, X1>=X3, tl(X2). 

p([Xl|X2]) X2=[X3|X4], Xl>=3, X1=<2*X3, sl(X2). 

tl([Xl|X2]) Xl=<2, t2(X2). 

t2([]). 

sl([Xl|X2]) Xl=<10, s2(X2). 

s2([]). 
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The two clauses defining p/1 overlap. The upper bound tl3 of predicates tl 
and si is computed to compute the upper bound of the clauses for predicate p. 
The resulting program is given below. 



p(Xl) X1=[X2,X3], X3=<10, X2-0 . 3*X3>=0 , X2>=0, t29(Xl). 
t29([Xl|X2]) X2=[X3|X4], X3=<10, Xl-0 . 3*X3>=0 , X1>=0, tl3(X2) . 

tl3([Xl|X2]) X2=[], Xl=<10, tl4(X2) . 

tl4( [] ) : - true . 



An essential operation when computing a fixpoint is to check inclusion of one 
constrained regular unary predicate in another. 

Definition 20. inclusion of constrained regular unary predicates 

Let p and q be defined in a CRUL program. Then the inclusion of the predi- 
cates p and q is checked as follows. 

pQq iff for all clauses {p{ti) ^ Hp.,Ap.,pi^{xi), . . . ,Pi„(x„)), 

there exists a clause {q{tj) <— Hq . , Aq . , (a;i), . . . , qj^ (xn)) 

and there is a substitution 0 such that 

1 . fti^Tlpf) = (tj^Uq^^O^and Ap^ Aq^O^ 

2. P^^ C qj^,...,pi^ C qj^. 



Definition 21. depth-k abstraction of a CRUL clause 

Let p{f) ^ H, A,pi(xi), . . . ,Pn{xn) be a CRUL clause. Then the depth-k 
abstraction of the clause is p{t) ^ Hk, Ak,pi{xi), . . . ,pn{x„) where Hk is depth- 
bounded version of H and Aj~ is A projected onto the variables occurring in Hk 
and t. 

Depth-fc abstraction is performed just after the intersection operation and the 
depth of terms does not have to be taken into account during the intersection, 
upper-bound, or widening operations. The depth-2 abstraction of the clause 
p([Xl|X2]) X2=[X3,X5|X6]] ,Xl>X3,X3>X5,q(Xl) ,r(X2) 

is 

p([Xl|X2]) X2=[X3|X4] ,X1>X3, q(Xl) , r(X2). 

Depth-3 abstraction makes no change in this case. Using depth-2 is a good 
compromise since it allows inferring dependencies between one level and the 
next, and since dependencies between terms at widely separated levels within a 
term do not occur frequently. 

2.2 Computation of a Constrained Regular Approximation 

A semantic function is defined similarly to the one in p]. The approximation of 
a program P is computed by an iterative fixpoint computation with widening. 
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A sequence of constrained regular approximations Pq, Pi, P 2 , ■ ■ ■ is computed 
as follows. 



Po = 0 

P^+l = P^ S/Prog T{Pi) {i > 0 ) 



where 

T{P^) = P^ Up™s(U{solve(C, P,)\CG P}). 

solve(C', Pi) takes a clause C and a CRUL program Pi and returns a constrained 
regular definition of the predicate in the head of C. The operations intersection 
and depth-fc are included in solve. The body of C is solved in the current ap- 
proximation Pi which involves unfolding the body and intersecting the predicates 
with the same argument. 

The limit of the sequence Pq, Pi, P 2 , ■ ■ ■ is the constrained regular approxi- 
mation of P. 

The operators V Prog and Uprog Definition E] are widening and upper 
bound operators on programs respectively. The only requirement on these oper- 
ations is that they should be safe with respect to the underlying order of the 
approximations . 

2.3 Termination of Fixpoint Computation 

There are two different fixpoint computations, taking place at the same time, to 
be terminated. One is for the arithmetic approximation, and the other one is for 
the regular approximation. 

For the fixpoint computation of arithmetic constraints we have existing tools 
for applying various different upper bound and widening operators with different 
trade-offs of precision and efficiency and an optional narrowing operator. The 
operators were suggested in |0 and [Q. We use simplified and efficient versions 
of them M- 

Effective abstract interpretation procedures for computing a regular approx- 
imation of a program (using RUL programs or some equivalent notation) have 
been defined in 0 and [E]. Several other works contain other solutions to the 
problem. For the termination of regular approximation we adopted the “short- 
ening” defined in |E]. A “widening” 0 operator could also be chosen. 

Definition 22. shortening of CRUL predicates 

Let P be a CRUL program containing predicates t and s (t ^ s). Let an 
occurrence of predicate t depend on predicate s, and let t and s have the same 
function symbols in their clause heads. Then the occurrence of s is replaced by 
t, if s is included in t. 

The shortening operation defined in 0 is less precise, but sometimes faster. In 
the shortening there, a recursive approximation is introduced whenever predicate 
t depends on predicate s, and t and s have the same function symbols in their 
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clause heads, without checking the inclusion. We can further improve precision 
comparing to |H| by taking into account the Herbrand constraints as well as the 
head functions. 

3 Examples 

A number of simple examples are given in this section to illustrate the approxi- 
mation. 

Example 4- List of sorted numbers 

Let us consider the constrained regular approximation of the following simple 
program. 

sortedC [] ) . 

sorted([X]) X >= 0. 

sorted([X,Y|Z]) X >= Y, sortedC [Y I Z] ) . 

The limit of the successive approximations of the program gives the following 
result. 

sorted(Xl) :-tl(Xl). 
tl([]) :-true. 

tl([Xl|X2]) :-X2=[] ,Xl>=0,any(Xl) ,t2(X2) . 

tl( [XI 1X2] ) :-X2=[X3|X4] ,Xl>=0,Xl-X3>=0,any(Xl) ,tl(X2) . 

t2([]) :-true. 



Example 5. List of uniform elements 

We can capture other dependencies, not necessarily arithmetic, between dif- 
ferent levels as in the following program. 

uniform ( [] ) . 
uniform ( [X] ) . 

unif orm( [X,X I Y] ) unif orm( [X I Y] ) . 

The following CRUL program is generated as the limit of the successive 
approximations of the above program. 

uniform(Xl) :-tl(Xl). 
tl([]) ; -true . 

tl([Xl|X2] ) :-X2=[] , any (XI) ,t2(X2) . 
tl([Xl|X2] ) :-X2=[Xl|X3] , any (XI) ,tl(X2) . 
t2([]) : -true . 

The redundant atoms in the clauses of above programs, such as any (XI) 
are not removed for the sake of implementation ease and for conforming to the 
definitions on CRUL clauses. 
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Example 6. Let us show the intersection and upper bound of the above pro- 
grams, to clarify the operations. 

sorted_and_unif orm(X) sorted(X) , 

uniform(X) . 

sorted_or_unif orm(X) sorted(X) . 

sorted_or_unif orm(X) uniform(X) . 

The analysis gives the following CRUL program. 

sorted_and_unif orm(Xl) :-tl(Xl). 
tl([]) :-true. 

tl([Xl|X2]) :-X2=[] ,Xl>=0,any(Xl) ,t2(X2) . 
tl([Xl|X2]) :-X2=[Xl|X3] ,Xl>=0,any(Xl) ,tl(X2) . 
t2([]) :-true. 

sorted_or_unif orm(Xl) t3(Xl) . 

t3([]) :-true. 

t3([Xl|X2]) :-X2=[] ,any(Xl) ,t4(X2) . 
t3([Xl|X2]) :-X2=[X3|X4] ,any(Xl) ,t3(X2) . 
t4([]) :-true. 



Example 7. For a comparison, let us now consider the regular approximation 
and the constrained regular approximation of the following predicate taken from 
an alpha-beta procedure for the game of kalah. 

initialize(kalah,board(a,0,a,0) .opponent) . 
initialize (kalah, tot o(b, 1 ,b, 1) , computer) . 
initialize(kalah,board(c,2,c,2) .computer) . 
initialize(kalah,board(a,0,a,0) .computer) . 
initialize(kalah,board(c,2,c,2) .opponent) . 



Regular Approximation Program: 



initialize(Xl,X2,X3) :-t349(Xl) ,t378(X2) ,t374(X3) . 
t349 (kalah) :-true. 

t378(board(Xl,X2,X3,X4)) :-t380(Xl) ,t381(X2) ,t382(X3) ,t383(X4) . 

t378(toto(Xl,X2,X3,X4)) :-t343(Xl) ,t344(X2) ,t345(X3) ,t346(X4) . 

t374(opponent) :-true. 

t374(computer) :-true. 

t380(a) :-true. 

t380(c) :-true. 

t381(0) :-true. 
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t381(2) 


-true 


t382(a) 


-true 


t382(c) 


-true 


t383(0) 


-true 


t383(2) 


-true 


t343(b) 


-true 


t344(l) 


-true 


t345(b) 


-true 


t346(l) 


-true 



Constrained Regular Approximation Program: 

initialize(Xl,X2,X3) :-t326(Xl) ,t349(X2) ,t345(X3) . 
t326(kalah) :-true. 

t349(board(Xl,X2,X3,X4)) :-Xl=c,X3=c,X2=2.0,X4=2.0,t328(Xl) , 

any(X2) ,t329(X3) ,any(X4) . 

t349(toto(Xl,X2,X3,X4)) : -Xl=b ,X3=b ,X2=1 . 0 ,X4=1 . 0 ,t322(Xl) , 

any(X2) ,t323(X3) ,any(X4) . 

t349(board(Xl,X2,X3,X4) ) :-Xl=a,X3=a,X2=0.0,X4=0.0,t316(Xl) , 

any(X2) ,t317 (X3) ,any(X4) . 

t345( opponent) :-true. 
t345 (computer) :-true. 
t328(c) :-true. 
t329(c) :-true. 
t322(b) :-true. 
t323(b) :-true. 
t316(a) :-true. 
t317(a) :-true. 

Example 8. For greater precision, we introduce some type information into the 
approximation, thus avoiding the overapproximation of some arguments. In the 
following example, numeric is such a type that describes any number, numeric (X) 
can be viewed as an arithmetic constraint that is true for all numbers X, i.e. like 
X = : = X which would normally be removed by the constraint simplification. 

disjunct ( [] ) . 
disjunct! [[A,B,C,D] |R] ) :- 
disj (A,B,C,D) , 
disjunct (R) . 

disj (Aa,Ad,Ba,Bd) : - 
gteqc(Ba,Aa,Ad) . 
disj (Aa,Ad,Ba,Bd) : - 
gteqc(Aa,Ba,Bd) . 
gteqc(X,Y,C) 

X >= Y + C. 
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Regular Approximation Program: 

gteqc(Xl,X2,X3) :-any(Xl) ,any(X2) ,any(X3) . 
disj (X1,X2,X3,X4) : -any (XI) , any (X2) ,any(X3) ,any(X4) . 
disjunct (XI) :-t38(Xl). 
t38([]) :-true. 

t38([Xl|X2]) :-t32(Xl) ,t38(X2) . 
t32([Xl|X2]) :-any(Xl) ,t33(X2) . 
t33([Xl|X2]) :-any(Xl) ,t34(X2) . 
t34([Xl|X2]) :-any(Xl) ,t35(X2) . 
t35([Xl|X2]) :-any(Xl) ,t36(X2) . 
t36([]) :-true. 

Constrained Regular Approximation Program: 
gteqc(Xl,X2,X3) : -Xl-X2-X3>=0 . 0 . 

disj (XI ,X2 ,X3 ,X4) : -numeric (XI) ,numeric(X3) ,any(X2) ,any(X4) . 
disjunct(Xl) :-t39(Xl). 
t39([]) :-true. 

t39([Xl|X2]) :-t33(Xl) ,t39(X2) . 

t33( [XI 1X2] ) :-X2=[X3|X4] ,numeric(Xl) ,t34(X2) . 

t34([Xl|X2l) :-X2=[X3|X4] , any (XI) ,t35(X2) . 

t35( [XI 1X2] ) :-X2=[X3|X4] ,numeric(Xl) ,t36(X2) . 

t36([Xl|X2]) :-X2=[] ,any(Xl) ,t37(X2) . 

t37 ( [] ) :-true. 



4 Limitations 

There are some dependencies that our method cannot capture. Consider the 
following partition predicate taken from a quicksort program. 



Example 9. Partitioning a list of numbers 



partition(_, [],[],[]). 
partition(X, [YlYs] ,L, [YlG]) :- X =< Y, 
partition(X,Ys,L,G) . 
partition(X, [YlYs] , [YlL] ,G) :- Y < X, 
partition(X,Ys,L,G) . 



The analysis gives no precise result. 

partition(Xl,X2,X3,X4) :-any(Xl) ,tl(X2) ,t2(X3) ,t3(X4) . 

where 1 1 , t2 and t3 define lists of any elements. Ideally we would like to capture 
the information that there is a dependency between t2 and t3. 
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If the first argument of partition can be fixed, for example in a goal directed 
analysis of partition(3,X2,X3,X4) the dependency between the subarguments 
of the third and fourth arguments, that is all the elements of the third argument 
are strictly less than all the elements of the fourth argument, of partition can 
be captured. Without knowing the value of the first argument, CRUL clauses 
are not expressive enough to capture the dependency. 

5 Implementation and Related Work 

The implementation of the regular approximation procedure defined in 0 is the 
basis for the implementation of this work. 

Recent studies on approximation of arithmetic constraints have been done in 
a CLP framework by Benoy and King Q and Saglam and Gallagher 1^. The 
method defined in this paper includes arithmetic approximations such as those 
discussed in 0, \m as a special case, where all predicates are arithmetic. For 
example, the list length analysis of the well known append predicate gives the 
result appendix, Y, Z) <— Z = X + y,X>0,K> 0,any{X),any(Y),any{Z). 

The combination of Herbrand and arithmetic constraints, called ’’mixed dis- 
junctive constraints” , was studied in \n\ which is based on the framework set 
out in ^ and uses abstract compilation, where constraint logic programs are 
used to define pre-interpretations as in tm- It handles predicate arguments con- 
taining both Herbrand and arithmetic subterms. Termination is not guaranteed 
if the Herbrand terms are of unbounded depth. Procedures from HH are used 
for the implementation of this work. 

6 Conclusion and Future Work 

We have demonstrated a method that extends regular approximations to capture 
additional decidable properties of a program. We capture dependencies between 
the arguments of terms, and also, dependencies between arguments at different 
levels of a term. 

In our implementation, we provide a number of choices on upper bound and 
widening operators, such as coarse and upper bounds, and simple and precise 
widenings on arithmetic constraints, tuple-distributive upper bound and most 
specific generalisations, and simple and precise widenings on term constraints, 
to obtain substantially different approximations of programs. Constrained regu- 
lar approximation becomes much more efficient (and less precise) if we employ 
depth- 1 for the arguments of approx/ 1, and depth-2 for the arguments of the 
other functions, since it disregards the Herbrand dependencies between the ar- 
guments of predicates, while the top level dependencies within each argument are 
still preserved. Leaving aside the arithmetic constraints, the result of employing 
a depth bound of 1 throughout gives the same result as regular approximation. 

The ability that the method defined in this paper lacks is the handling of 
dependencies among variable arguments of some predicates. In Example one 
can expect an approximation that captures the information that one argument 
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is a list of numbers which are all greater than or equal to the numbers in the 
other list, which is the other argument. To capture this kind of properties a 
parameterised regular clause definition could be appropriate, analogous to the 
addition of polymorphism in types. This is a possible extension of the method. 
Before that this work needs to be experimented on. The stage at which depth-k 
abstraction is performed might change the precision and/or efficiency. Currently 
we perform depth-k abstraction after the intersection operation. It could well be 
a part of widening in the approximation. The performance results and complexity 
analysis compared with standard regular approximation are subjects of current 
investigation. 

Integrating Boolean constraints will give a greater precision and flexibility 
and it appears to be a natural extension of the method. 
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Abstract. This paper presents a logic framework for the incremental 
inductive synthesis of Datalog theories. It allows us to cast the problem 
as a process of abstract diagnosis and debugging of an incorrect theory. 
This process involves a search in a space, whose algebraic structure (con- 
ferred by the notion of object identity) makes easy the definition of algo- 
rithms that meet several properties which are deemed as desirable from 
the point of view of the theoretical computer science. Such algorithms 
embody two ideal refinement operators, one for generalizing incomplete 
clauses, and the other one for specializing inconsistent clauses. 

These algorithms have been implemented in INCR/H, an incremental 
learning system whose main characteristic consists of the capability of ex- 
tending autonomously the search to the space of Datalog^ clauses, when 
no correct theories exist in the space of Datalog clauses. Experimental 
results show that INCR/H is able to cope effectively and efficiently with 
the real-world task of document understanding. 



1 Introduction 

A logical theory can be viewed as a set of conditions, expressed in a logic lan- 
guage, that are necessary and sufficient to explain a number of observations in 
a given environment. In addition to the capability of explaining past events, the 
usefulness of a theory relies on its ability of predicting future situations in the 
same environment. 

If we assume that the only source of knowledge available is represented by a set 
of previously classified observations and no prior knowledge can be exploited, 
the process of formulating a new theory is bound to be progressive. Starting 
from contingent observations, it is not possible to infer concept definitions that 
are universally regarded as correct. The validity of the theory itself extends to 
the available knowledge. Conversely, new observations can point out the inade- 
quacies in the current formulation of the concepts. In such a case, the theory is 
incorrect and a suitable process of theory revision should be activated. 

A theory may be incorrect because, given a new observation, one of the follow- 
ing cases occurs: This observation is erroneously explained by the theory, thus 
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the theory is too general and needs to be specialized; this observation is erro- 
neously not explained by the theory, thus the theory is too specific and needs to 
be generalized. In this paper, we address these problems in a logic framework. 
The solutions that we propose require to perform a process of abstract diagnosis 
and debugging of the theory in order to restore its correctness. Specifically, the 
debugging of the theory is cast as a search for either a specialization (downward 
refinement) or a generalization (upward refinement) of that part of the theory 
detected as source of incorrectness by the diagnosis step. This search aims at 
finding a minimal refinement of a theory 1^41 . Indeed, in a logic-constrained be- 
lief revision approach, a contraction of a belief set with respect to (wrt) a new 
fact consists of a peculiar belief change, which requires the retraction of the in- 
formation causing the violation of consistency, when this property is regarded 
as an integrity constraint. 

Formulating logical theories from facts is the ultimate objective of concept learn- 
ing. In this area, a theory consists of a set of hypotheses, a hypothesis is a concept 
definition and observations are called examples. An example that should be ex- 
plained by a hypothesis is called positive, an example that should be refuted is 
called negative. 

Initially, the research efforts in this area centred on the analysis and develop- 
ment of inductive systems that synthesize a logical theory in a batch way. These 
systems start from an empty theory and stop the inductive process when the 
current set of hypotheses is able to explain all the available examples. When 
new evidence contradicts the synthesized theory, the whole process must be re- 
peated, taking no advantage of the previous version of the hypotheses. This is 
not true for incremental inductive systems. These systems are able to revise and 
refine a theory in an incremental way, thus the previously generated hypotheses 
are not completely rejected, but they are taken as the starting point of a search 
process whose goal consists of a new theory that explains both old and new 
observations. Incremental synthesis of theories is necessary in several cases, like 
changing world, sloppy modeling and selection bias even though problems 
might arise with recursive theories. 

This paper addresses the problem of incremental synthesis of theories in a logic 
framework, that allows us to cast this problem as a search in a space whose 
algebraic structure is now thoroughly understood m. and that makes easy the 
definition of search algorithms which meet many properties that are deemed as 
desirable from the point of view of the mathematical theory of computation (e.g., 
non-termination) | ll ti| . as well as from that of the theory of the computational 
complexity U US' 

The plan of the paper is as follows. In the next section, the logic language 
adopted to represent both the synthesized theory and the examples is briefly 
introduced. Section 3 recalls the logic framework, based on the notion of object 
identity, within which the problem of debugging an incorrect theory is addressed. 
Section 4 introduces the basic notions regarding incremental inductive synthe- 
sis of logical theories, while Sections 5 and 6 present the refinement operators 
that have been developed and implemented in a new version of INCR/H IlyI . an 
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incremental system that can inductively synthesize and correct logical theories. 
The results of the application of INCR/H to the real-world problem of document 
understanding are shown in Section 7. 



2 The Representation Language 

Henceforth, we refer to im for what concerns the basic definitions of a substitu- 
tion, positive and negative literal, clause, definite and program clause, and normal 
program. We will indifferently use the set notation and the Prolog notation for 
clauses. Given a first-order clause C, vars{C), consts{C) and | C \ denote re- 
spectively the set of the variables, the set of the constants and the number of 
literals occurring in C. 

By logical theory we mean a set of hypotheses; by hypothesis we mean a set 
of program clauses with the same head. In the paper, we are concerned exclu- 
sively with logical theories expressed as hierarchical programs, that is, as (non- 
recursive) programs for which it is possible to find a level mapping [H such 
that, in every program clause P{t\,t 2 , ■ ■ ■ , tn) <— L\,L 2 , ■ ■ ■ , Lm, the level of ev- 
ery predicate symbol occurring in the body is less than the level of P. 

Another constraint on the representation language is that, whenever we write 
about clauses, we mean Datalog linked clauses. Here, we refer to P| 0 for the 
basic notions about Datalog and its extensions Datalog"^ and Datalog^. A def- 
inition of linked clause is the following [7| . A Horn clause is linked if all of its 
literals are; a positive literal is linked if at least one of its arguments is; an 
argument of a literal is linked if either the literal is the head of the clause or 
another argument in the same literal is linked. An instance of a linked clause 
is C— = {P{x),^Q{x,y),^Q{y,z)}. Conversely, the clauses D = C{^Q{x,y)} 
and F = C'U{^i?(u, w)} are not linked. Indeed, the literal ~^Q(y, z) is not linked 
in D, whereas ^R{v,w) is not linked in F. 

The differences existing between examples and hypotheses are the following: 
Each example is represented by one ground clause with a unique literal in the 
head; each hypothesis is a set of program clauses with the same head. 

An example E is positive for a hypothesis FI if its head has the same predicate 
letter and sign as the head of the clauses in H . The example E is negative for H 
if its head has the same predicate, but opposite sign. An instance of a positive 
example is: Uncle(Sam, Bob) ^ Parent(Tim, Bob), Brother(Sam, Tim). 

An instance of a negative example is: 

^ Uncle(Mary, Bob) <— Parent(Tim, Bob), Female(Mary). 

Furthermore, no predicate invention is performed. 



3 Object Identity and 0o/"Snbsnmption 

Here, we introduce a logic language, called Datalog^^ , which is an instance 
of constraint logic programming 0. The basic notion of Datalog*^^ is that of 
object identity. We recall the definition of object identity, previously given in ^ 
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m for a first order logic that is both function-free and constant-free, and later 
generalized to a full first order logic E IH]' 

Definition 1 (Object Identity). Within a clause, terms denoted with differ- 
ent symbols must be distinct. 

This notion is the basis for the definition of both an equational theory for Datalog 
clauses and a quasi-ordering upon them. In Datalog, the adoption of the object 
identity assumption can be viewed as a method for building an equational theory 
into the ordering as well as into the inference rules of the calculus (resolution, 
factorization and paramodulation) 1141 . Such equational theory is very simple, 
since it consists of just one rewrite rule (in bold-face), in addition to the set of 
the axioms of Clark’s Equality Theory (GET) IHll : 
t yf s S body{C) for each clause C in C and 

for all pairs t, s of distinct terms that occur in C (OI) 

where C denotes the language that consists of all the possible Datalog clauses 
built from a finite number of predicates. 

The (OI) rewrite rule can be viewed as an extension of both Reiter’s unique- 
names assumption IT31 and axioms (7), (8) and (9) of GET to the variables 
of the language. Under object identity assumption, the Datalog clause 

C = P{x) : -Q{x, x),Q{y, a) 

is an abbreviation for the Datalog*^^ clause 

Coi = P{x) : -Q{x,x),Q{y,a) || [x y],[x a],[y a] 

where P, Q denote predicate letters, x, y variables, a is a constant and the 
inequations attached to the clause can be seen as constraints on its terms. 
These constraints are generated in a systematic way by the (OI) rewrite rule. 
In addition, they can be dealt with in the same way as the other literals in 
the clause. Therefore, under object identity, any Datalog clause C generates a 
new Datalog^ clause Cqi consisting of two components, called core{Coi) and 
constraints{Coi) , where core(Coi) = C and constraints{Coi) is the set of the 
inequalities generated by the (OI) rewrite rule, that is to say, 
constraints{Coi) = {t yf s | t, s G terms{C),t, s distinct} 

Therefore, Datalog®^ is a sublanguage of Datalog^. Formally, a Datalog*^^ pro- 
gram is made up of a set of Datalog^ clauses of the form 

Q(xi,X2, . . . ,x„) : -(/? II / 

where Q and Lp are as in Datalog, I is the set of inequations generated by the 
(OI) rule and n > 0. The symbol ”||” means and just like but is used for 
the sake of readability, in order to separate the predicates coming from the (OI) 
rewrite rule from the rest of the clause. Nevertheless, Datalog*^^ has the same 
expressive power as Datalog. Indeed, it is possible to prove the following results. 
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Proposition 2. VC S Datalog 3C = {Ci, C 2 , . . . , C„} C Datalog^^ : 

Tc 1 u; = Tc t w 

that is, for each Datalog clause we can find a set of Datalog*^^ clauses equivalent 
to it. 

Proof. The difference between a Datalog clause and a Datalog*^^ clause is that, in 
the former case, it is interpreted without any constraint on the variables appear- 
ing in it, while, in the latter, additional literals expressing the Ol-constraints 
are implicitly assumed. If we progressively eliminate from the clause all the 
possible combinations of inequations and introduce new clauses reflecting their 
unification, every possible substitution we can think of will involve one of the 
combinations already considered (maybe the empty one), so we can refer to 
the corresponding clause which we introduced and which eliminated the noisy 
constraints. These observations lead to the following algorithm, that, given a 
Datalog clause C, computes the set of Datalog*^^ clauses C = {Ci, C 2 , . . . , Cn} 
such that Tc t w = Tc ] tv. 

function GenerateDatalogOIClauses ( C : DatalogClause ) : DatalogOIClauses 
begin 
:= {}; 

for fc = 0, 1, . . . , I vars{C) \ do 

foreach combination of k variables out of | vars{C) \ do 
begin 

Define some ordering between the k variables; 

foreach permutation with replacement of fc constants out of | consts(C') | do 
for = 1, 2, . . . , I vars{C) \ —k do 
begin 

foreach partition (IV)j=i^ 2 ,...,/i of the remaining variables s.t. 

\/i,j = 1,2,.. .,h,i <j :\Vi \= ri,ri < do 
begin 

c’u ■■= {}; 

Build a clause D by replacing the l-th {I = 1,2, . . . , k) variable 
of the combination with the l-th constant of the permutation 
and Vi = 1, 2, . . . , /i all the variables belonging to Vi with 
one new variable; 

if Vi, j = 1,2, ... ,k,i ^ j : Ti yf Vj then Insert D in C), 
elsif there exists no renaming of D in C), then Insert D in 
end; 

C := C U C; 
end; 

end; 
return C 
end; 
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By definition, the Tp operator acts only on the ground instances of the clauses 
of the program it is applied to. As a consequence, proving the thesis is equivalent 
to demonstrating that the following sets A and B are equal. 

A = ground(C) B = {ground(D) \ D G C"} 

where ground(E) denotes the set of the ground instances of the clause E. 

As the clauses in C' have been obtained from C by simply unifying variables 
(among them or with a constant), their structure is surely equal to that of C. 
But then, when comparing an element of ground((7) with one of ground(C"), 
it suffices to consider ground terms, which will be constants (since we work in 
Datalog and Datalog*^^). After this introduction, let us prove the thesis. 

C B) Any ground instance of C is obtained by substituting all the variables 
in C with constants. 



i) If all these constants are already in C, then the algorithm generates (in 
the last step of the loop) all the possible combinations of substitutions of 
variables in C with constants in C; 

ii) If none of these constants is already in C, then we will have a partition of 
vars{C), {Vi)i=i^ 2 ,...,k (1 < fc <| vars{C) |), s.t. Vi = 1,2, ... ,k all variables 
in Vi are associated to the same constant at {at yf yf j). But then 
the algorithm generates (in the first step of the loop) a clause which unifies 
among them all the variables in each Vi, to which we can apply the same 
substitution, since the noisy Ol-constraint has been removed; 

iii) If some of these constants are already in C and others are not, the algorithm 
applies the same substitutions on the constants which are already present, 
and unifies the remaining variables according to the partition introduced 
by the remaining constants (see ii), thus generating a clause to which it is 
possible to apply the same substitution. 

Note that i) and ii) can be seen as particular cases of iii). 

(B C A) On the other hand, given any ground instance of a clause Ci G C , 
it can be obtained immediately from C by substituting every variable with 
the constant which appears in the same position in that ground instance of 
Ci, because in C we do not have the Ol-constraint. Indeed, the algorithm 
generates C from C by leaving untouched all the constants, and at most by 
unifying some variables. □ 



Corollary 3. VP C Datalog 3P' C Datalog^^ : Tp | a; = Tpi | uj. 

that is, for any Datalog program we can find a Datalog*^^ program equivalent 
to it. 

Proof. Even for this result, the proof is constructive. It suffices applying the 
algorithm in the proof of Proposition 2 to every clause in P, and taking as P' 
the set of all the clauses generated by the following algorithm: 
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function GenerateDatalogOIProgram {P. DatalogProgram) : DatalogOIProgram 
begin 

P' ■■= {}; 

foreach clause C G P do 
begin 

C := GenerateDatalogOIClauses (C); 

P' ■- p' u C 
end; 

return P' 
end; 

Again, the semantic equivalence is cast (by definition of Tp) to proving the 
equality of the following sets: 

A = {ground{D) \ D G P} B = {ground{D) \ D G P'} 

C B) Given a ground instance of a clause C G P, C has been surely con- 
sidered in some step of this last algorithm, thus it generates a set of clauses 
C" C P' . But then, the proof of (A C B) in Proposition 2 holds for the 
(unique) ground instance of C and for the set of ground instances of clauses 
in C. 

(B C A) Given a ground instance of a clause C[ G P' , C[ has been generated 
by this last algorithm in correspondence of a clause C G P. But then, the 
proof of {B C A) in Proposition 2 holds for the ground instance of C' and 
for the set of ground instances of C. □ 

Now, we can recall the ordering relation defined by the notion of 0-subsumption 
under object identity - 9oi — subsumption - upon the set of Datalog clauses 0 
[II iS] . The following definition extends to Datalog the definition given in m HH] 
for constant-free (other than function- free) logic languages. 

Definition 4 (0o/-subsumption ordering). Let C, D be two Datalog clauses. 
We say that D 9-subsumes C under object identity (D 9oi~subsumes C) if and 
only if (iff) there exists a substitution a such that (s.t.) Doi-cr C Coi- 
In such a case, we say that D is more general than or equivalent to C (D 
is an upward refinement of C and C is a downward refinement of D) under 
object identity and we write C <oi D. We write C <oi D when C <oi D 
and not{D <oi C) and we say that D is more general than C (D is a proper 
upward refinement of C) or C is more specific than D (C is a proper downward 
refinement of D) or D properly 9oi~subsumes C. We write C ^oi D, and we 
say that C and D are equivalent clauses under object identity, when C <oi D 
and D <oi C . 

Like 0-subsumption, 0o/-subsumption induces a quasi-ordering upon the space 
of the Datalog clauses, as stated by the following result. 



Proposition 5. Let C, D, E be Datalog clauses. Then: 

a) C "Gqi C b) C ^oi D and D ^oi E ^ C ^oi B 
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Proof, a.) C C C implies Coi-{} C Cqi, thus C <oi C. 

b) If C <oi D and D <oi E then there exist the substitutions cr and 9 s.t. 
Doi-(J C Coi and Eqi-O C Dqi. Thus, it holds Eoi-Oa C Doi-cr C Cqi, where 
9a denotes the composite of the substitutions 9 and a. This proves C <oi E. □ 

A characterization of the notion of 0o/“Subsumption is: 

Proposition 6. Let C, D be two Datalog clauses, C <oi D 
3as.t.core{Doi).a C core{Coi) and constraints(Doi) -a C constraints{Coi) 

Proof. ’=!>’: From Definition 4,, C <oi D means that there exists a substitution 
a s.t. Dqi. a C Cqi 

{core(Doi) U constraints(Doi)) .a C core(Coi) U constraints{Coi) ^ 
{core{Doi).a U constraints{Doi) .a) C core{Coi) U constraints(Coi) . 

But inequalitites cannot occur in a Datalog clause, thus it yields: 

core{Doi).a n constraints{Doi) -a = 0 

core{Coi) n constraints(Coi) = 0 

core{Doi).a n constraints{Coi) = 0 

constraints(Doi) .a n core(Coi) = 0 

By simple algebraic manipulations, it is possible to obtain: 

core{Doi).a C core{Coi) and constraints(Doi) .a C constraints{Coi) . 

Trivial. □ 



4 Incremental Inductive Synthesis Basics 

Generally, the canonical inductive paradigm requires the fulfilment of the prop- 
erties of completeness and consistency for the synthesized theory. Formally, we 
introduce the following definitions, strictly valid for hierarchical theories, where 
E~ and A+ denote the sets of all the negative and positive examples, respec- 
tively. 

Definition 7 (Inconsistency). A theory T is inconsistent iff3H G T, 3N G 
E : H is inconsistent wrt N. A hypothesis H is inconsistent wrt N iff3C G PI: 
C is inconsistent wrt N. A clause C is inconsistent wrt N iff 3a: 

1. hody(C).a C body(N) 2. ^ head(C).a = head(N ) 

3. constraints (Co I ).(T C constraints (Nqi) 

where body{(p) and head{(p) denote the body and the head of a clause ip, respec- 
tively. Note that, in this definition, we cannot use the <oi notation, since we 
need to find a unique a that satisfies conditions 1), 2) and 3). If at least one of 
the three conditions above is not met, we say that C is consistent wrt N. 

Definition 8 (Incompleteness). A theory T is incomplete iff3H G T, 3P G 
E~^ : H is incomplete wrt P. A hypothesis H is incomplete wrt P iff G H : 
not( P <oi C). Otherwise it is complete wrt P. 

Now, we can formally define the notions of commission and omission error. 
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Definition 9 (Commission/Omission error). Given a theory T and an ex- 
ample E: T makes a eommission error iff 3H € T , 3C S H : C is ineonsistent 
wrt E; T makes an omission error iff 3E[ € T : H is ineomplete wrt E. 

Whenever a commission error occurs, it becomes necessary to specialize all the 
inconsistent clauses C so that each new clause C’ restores the consistency prop- 
erty of the theory. When an omission error occurs, it becomes necessary to gen- 
eralize the incomplete hypothesis El so that the new hypothesis H’ restores the 
completeness property of the theory. This points out that the process of abstract 
diagnosis of an incorrect theory is performed at different levels of granularity, ac- 
cording to the type of error found. Specifically, if a commission error occurs, the 
diagnosis can be carried as far as the level of a single inconsistent clause, which 
is the only cause of the commission error, while if an omission error occurs, we 
are compelled to limit the scope of the diagnosis process to the coarser level of 
hypotheses, that is to say, the cause of an omission error is a single hypothesis. 
As to the debugging process, commission errors can be solved by exploiting prop- 
erly a downward refinement operator, while, dually, upward refinement operators 
can cope with omission errors. 

As we pointed out in m, in a logic framework for the inductive synthesis of 
Datalog theories from facts, a fundamental problem is the definition of locally 
finite, proper and complete {ideal) refinement operators. Indeed, when the aim 
is to develop incrementally a logic program, that should be correct with respect 
to its intended model at the end of the development process, it becomes rele- 
vant to define operators that allow a stepwise (incremental) refinement of too 
weak or too strong programs Hg. The ideality of the refinement operators plays 
a key role when the efficiency and the effectiveness of the design process is an 
unnegligible requirement. Unfortunately, when full Horn clause logic is chosen 
as representation language and either 9-subsumption or implication is adopted 
as generalization model, there exist no ideal refinement operators |zz|. 

On the contrary, they do exist under the weaker, but more mechanizable and 
manageable, ordering induced by Oqi - subsumption, as proved in U HH] 

5 Upward Refinement 

The upward refinement operator is inspired from the Interference Matching pro- 
posed by Hayes-Roth and McDermott p] . Differently from the original operator, 
our algorithm works on clauses rather than on Parameterized Structural Repre- 
sentations (PSR’s). Therefore, it extends the notion of maximal abstraction to 
the concept of least general generalizations (Igg) under 0o/-subsumption. 

Definition 10 (Iggo/)- A least general generalization under Oqi - subsumption 
of two clauses is a generalization which is not more general than any other such 
generalization, that is, it is either more specific than or not comparable to any 
other such generalization. 

Formally, given two Datalog clauses C\ and C 2 , C is a Igg under 9 qi - subsumption 
of Cl and C 2 iff: 
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1. Ci <oi C, i=l,2 2. VD s.t. Ci <oi D, i=l,2 : not( D <oi C ) 

lggoiiCi,C 2 ) = {C \ <oi c,i = 1,2 and WD s.t. Q <oi D,i = 1,2 : 
not{D <oi C)} 

In the following, we describe an algorithm that computes the set of the least 
general generalizations under 0o/-subsumption of two any Datalog*^^ clauses 
(the Igg is no longer unique under 9 oi -subsumption [U tij) . Such an algorithm is a 
straightforward extension to Datalog*^^ of a similar algorithm given by Plotkin 
(1970). This extension is necessary since the space of Datalog clauses is not a 
lattice when ordered by 0o/“Subsumption m, while it is a lattice when ordered 
by 0-subsumption m 

Preliminarily, we extend the definition of selection in m to Datalog*^^ clauses. 

Definition 11 (Selection under object identity). Let Ci and C 2 be two 

Datalog'^^ clauses. A selection under object identity of Ci and C 2 is a pair of 
literals < Ci,dj >, where Ci G core{Cigj),dj G core{C 2 oi), s.t. ct and dj have 
the same predicate symbol, sign, and arity. 

Algorithm (Iggoi computation) Let Ci and C 2 be two variable disjoint Datalog*^^ 
clauses. The set of the least general generalizations under 0o/-subsumption of 
Cl and C 2 , denoted with lggo/(C'i, C 2 ), is a set of clauses where each clause 
Goi is defined as follows. 



Goi = G 



core 



U G 



constraints 



where 

“ Gcore = {g \ g = lgg(ci , dj), < Ci,dj > selection under object identity of 
Cl and C 2 and (pk{x) yf ‘Pk(y), fc = 1, 2} lgg{ci, dj) denotes the least general 
generalization of Ci and dj computed with the algorithm given by Plotkin 
(1970). The functions (pk, k = 1, 2, are the substitutions s.t. Gcore-Pk C 
core{Ck), k = 1, 2. More precisely, if we call </> the function 

4>\ terms(Gi) x terms{C 2 ) — nvars U {consts{G 1 ) n const{G 2 )) s.t. 

/ / . \ / 'If I'i ~ Si 

* (A otherwise 

where < Cj,dw > is a selection under object identity of Ci and C 2 , Cj = 
P(fi,t 2 , . . . , tn), dw = P{s\, S 2 , . . . , Sn), nvars denotes a set of new variables 
and X is in nvars, then ipi and ip 2 are the projections of the inverse function 
of 4> onto terms(Gi) and terms{G 2 ), respectively. 

G constraints — '9 \ PkipS) yf g^kijj)-, k — 1, 2} 

The only difference of this algorithm with respect to Plotkin’s (1970) lies in the 
fact that it takes into account the (OI) rule in order to determine a partition of 
the literals in Gcore- This allows the algorithm to find the set of all the possible 
Igg’s under object identity rather than the unique Igg under 0-subsumption. 
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6 Downward Refinement 

Differently from the upward refinement operator, the downward refinement op- 
erator proposed in this paper is completely novel. Essentially, it relies on the 
addition of a non-redundant literal to a clause that turns out to be inconsistent 
wrt a negative example, in order to restore the consistency property of the clause. 
The space in which such a literal should be searched for is potentially infinite 
and, in any case, its size is so large that an exhaustive search is unfeasible. 

We can formally define the search space as the partially ordered set (poset) 
{C! ~07, <Ol), where Cj^oi is the quotient set of the Datalog linked clauses 
and <o/is the quasi ordering relation defined in Section 3, which can be straight- 
forwardly extended to equivalence classes under ~oz |II^’ Henceforth, we will 
always work on the quotient set £/~oz and, when convenient, we will denote 
with the name of a clause the equivalence class it belongs to. 

The novelty of the operator consists in focusing the search into the portion of 
the space that contains the solution of the diagnosed commission error. This is 
the result of an analysis of the algebraic structure of the search space. 

The search is firstly performed in the space of positive literals. This space con- 
tains information coming from the positive examples used to synthesize the cur- 
rent theory, but not yet exploited by it. When the search in this space fails, the 
algorithm autonomously performs a representation change, that allows it to ex- 
tend the search to the space of the program clauses rather than the definite ones. 
Thus, the search is performed into a space of negative literals, built by taking 
into account the negative example that caused the commission error. First of all, 
given a hypothesis H which is inconsistent wrt a negative example N, the process 
of abstract diagnosis detects all the clauses of H that caused the inconsistency. 
Let us suppose that the subset of the positive examples Oqi -subsumed by an 
inconsistent clause (7 is {Pi, P2, . . ., Pn}- The search process aims at finding 
one of the most general downward refinements under object identity of C against 
iV given Pi, P2, . . Pn , denoted with mgdroi{C, N \ Pi, P2, . . ., Pn): 

mgdroi{C,N\Pi,P2, . . . ,P„) = {M G mgdroi{C,N) \ Pj <01 M, 

j = l, 2 ,...,n} 

where the superset of the most general downward refinements under object iden- 
tity of C against a negative example N, denoted by mgdroi{C,N), is: 

mgdroi{C, N) = {M \ M <01 C, MconsistentwrtN,\/D : D <01 
C, DconsistentwrtN : not{M <01 D)} 

Throughout this section, we shall denote with C a clause that needs to be spe- 
cialized, since it is inconsistent wrt an example N. More precisely, the body of 
C needs to be subjected to a suitable process of downward refinement in order 
to restore the consistency property. 

Let us consider the problem of finding one of the clauses in the set mgdroi{C, N \ 
Pi, P2, . . . , P„). Since the downward refinements we are looking for must satisfy 
the property of maximal generality, it may happen that the specializations of the 
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clause C are overly general, even after some refinement steps. This suggests us 
the possibility of further exploiting the positive examples in order to specialize 
C. Specifically, if there exists a literal that, when added to the body of C, is able 
to discriminate from the negative example N that caused the inconsistency of C, 
then the downward refinement operator should be able to find it. The resulting 
specialization should restore the consistency of the clause C, by refining it into 
a clause C’ which still 0o/-subsumes the positive examples Pi, i = 1, 2, . . . , n. 
The process of refining a clause by means of positive literals can be described as 
follows. For each Pi, i = 1,2, ... ,n, let us suppose that there exist Ui distinct 
substitutions such that C do/-subsumes Pi. Then, let us consider all the possible 
n-tuples of substitutions obtained by picking one of such substitutions for every 
positive example. Each of these substitutions is used to produce a distinct resid- 
ual, consisting of all the literals in the positive example that are not involved 
in the 0o/~subsumption test, after having properly turned their constants into 
variables. Formally, a residual can be defined as follows. 



Definition 12 (Residual). Let C he a clause, E an example, and aj a substi- 
tution s.t. hody{C).(jj C body{E) and constraints{Coi).cfj C constraints(Eoi). 
A residual of E wrt C under the mapping Uj, denoted by Aj{E,C), is: 

A,{E, C) = body{E).q-^ - body{C) 

where a~^ is the extended antisubstitution (or inductive substitution) obtained 
by inverting the corresponding substitution aj. Indeed, an antisubstitution is a 
mapping from terms and addresses into variables. When a clause C 0o/~subsumes 
an example E through a substitution a, then it is possible to define a correspond- 
ing antisubstitution, , which is exactly the inverse function of a. Then, 
maps some constants in E to variables in C. Not all constants in E have a cor- 
responding variable according to . Therefore, in Definition 12, we introduce 
the extension of cr“^, denoted with that is defined on the whole set of con- 
stants occurring in E, consts(E), and takes values in the set of the variables of 
the language: 



s: ^(c„) 



O' ^(c„) ifcn G vars{C).a 
otherwise 



Henceforth, variables denoted by _ will be called new variables and managed as 
in Prolog. The residuals obtained from the positive examples Pi, i = 1,2, ... ,n, 
can be exploited to build a space of complete positive downward refinements, 
denoted with P, and formally defined as follows. 



p= u n ^jdPk,c) 

2— k—l,2,...,n 



where Aj,, {Pk , C) denotes one of the Uk residuals of Pk wrt C and 
L\k=i,2,...,nAj,.{Pk,C), when jk takes one of the values in {1,2,..., Uk}, is the set 
of the literals common to an n-tuple of residuals (one residual for each positive 
example Pk, k = 1,2, ... ,n). Moreover, denoted with Oj, j = 1, 2, . . . ,m, all the 
substitutions which make C inconsistent wrt N, let us define a new space: 
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Then, the following proposition holds. 

Proposition 13. Given a clause C, that 9oi -subsumes the positive examples 
Pi, P 2 , ■ ■ ■ , Pn and is inconsistent wrt the negative example N, then any linked 
clause C = C U {^}, with I gP — S, is in mgdroi{C, iV|Pi, P 2 , . . . , P„). 
Formally:{C | C" = C U {^}, ^ S P — S} C mgdroiiC, iV|Pi, P 2 , . . . , Pn)- 

Note that I is an element of hody{C). 

Proof. In order to prove C <01 C, let us observe that in the space 

(^/ ~o/, <oi) the set of all constant-free upward refinements of a clause C 

corresponds to the set 2^ , thus each proper upward refinement of C has a 

number of literals less than the number of literals of C m- Therefore C C 

C' => C' <01 C, i.e. C’ is a proper downward refinement of C under Oqi- 

subsumption. 

Let us show now that C is consistent wrt N . First of all, observe that 
Vj = 1,2, ...,m : ^head{C').9j = ^head{C).9j = head{N). 

Moreover, Vj = 1, 2, . . . , m : body{C').9j = body{C').9j = (body{C) U {l})-9j = 

body{C).9jU{l}.9^ (1) 

lGP-S^liS = [Jj=i, 2 ,...,m C) ^ Vj = 1, 2, . . . , m : / ^ A,{N, C). 

By definition of P, 

I G P ^ I ^ C, then \/j = 1,2, . . . ,m : I ^ body{N).9~^ ^ 1.9^ ^ body{N) 

^ {l}.g^ (t body{N). 

Then, looking back at (1), we can conclude that: 

Vj = 1, 2, . . . , TO : body{C').9j hody{N). 

This proves that C is consistent wrt N . Indeed, any other substitution causing 
the inconsistency of C would be a superset oi & 9j {j = 1,2,..., to) because 
of our assumption that they were the only possible substitutions under object 
identity s.t. body(C').0j C body(fV) and we have just proved that each of them 
makes C" consistent wrt N. 

Now suppose that 3F which is consistent wrt N and s.t. C" <01 F <01 C 
^\C'\=\C\+1>\F\>\C\^\F\ = \C\ 

But P is a specialization of C, then it can be inferred that P ~o/ C. Thus P is 
inconsistent wrt N , just as C. 

According to the hypotheses of the proposition: 

V/c = 1, 2 ,. . . ,n: hea,d{C) .a = head(Pfc) and hody{C ) C body(Pfc) (cTj^, are 
the substitutions that appear in the definition of P). 

I G P ^ I G rifc=i, 2 ....,n i.Pk,C) => VA: = l,2,...,n : I G body{Pk). 
aj^ =>Wk = 1,2, ...,n : 1. G body{Pk)- Then, body(C").CT^-j_ = hody{C).g_j^ U 
C body(Pfc), Vfc =1, 2, ...,n. Then, Pfc <01 C . □ 
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Proposition 13 states that every downward refinement built by adding a literal 
in P - S to the inconsistent clause C restores the properties of consistency and 
completeness of the original hypothesis. Moreover, it is one of the most general 
downward refinements of C against N . 

When the space P - S does not contain any solution to the problem of special- 
izing an inconsistent clause, the search is automatically extended to the space of 
negative literals. Specifically, let us suppose that the operator did not succeed 
in refining a clause wrt a negative example TV in a complete and consistent way. 
In such a case, a change of representation must be performed in order to search 
for literals in another space, corresponding to the quotient set of the Datalog^ 
linked clauses. Therefore, it is necessary to define a new target space, called the 
space of negative downward refinements. Given a clause C, an example N and 
the set of all substitutions 9j, j = 1, 2, . . . ,m, such that C is inconsistent wrt 
N, the space of negative downward refinements, denoted with S„, is: 

S„ = neg(S) = neg(Uj=y 2 ,...,Tn^j(iV, G)) 

where, given a set of literals (p = {h,l 2 , ■ ■ ■ , In}, n > 1, neg{<p) denotes the set 
of literals ■ ■ ■ , ^In}- 

As for the process of downward refinement by positive literals, we are interested 
in a specific subset of S„, because of the properties satisfied by its elements. Such 
a subset, called space of consistent negative downward refinements, is denoted 
with Sc and is defined as follows. 

Sc = neg(nj=y2....,m^j(A^, G)) 

The reason why the operator focuses onto the subset Sc, rather than onto the 
whole set S„, lies in the following result: 

Proposition 14. Given a clause C , an example N and the set of all substi- 
tutions 9j, j = 1,2, ... ,m, such that C is inconsistent wrt N, then any linked 
program clause G' = G U {!}, with I G Sc, is in mgdroi{C, N). 

Formally:{C | G' = G U {/}, I G Sc} C mgdroiiC, N) 

Note that I is a negated literal occurring in the body of G', thus G' G Datalog^ . 

Proof. As to the proof that C' is a proper downward refinement of G under 
0o/“Subsumption, refer to the proof of Proposition 12. 

Given a linked program clause G' = C LI {1}, with I G Sc, in order to prove that 
G' is consistent wrt JV, let us suppose (reductio ad absurdum) there exists a 
substitution ui s.t. G' is inconsistent wrt iV. Then, from Definition 7: 

1. body(G').CTi C body(A^) 2. ^ head(G').cri = head(A^) 

3. constraints(Go/).CTi C constraints(iVo/) 

As a consequence, cti is also one of the k substitutions that make G inconsistent 
wrt JV. We also have from the hypotheses of the proposition: 
body(G').CTi = body(G').CT 2 = (body(G)U {l}).^i = body(G).CTi U {^}-CTi 
with I G Sc = neg{r\j=i^ 2 ,...,m^j{JV,C)). But: 
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^ Sc.CTi C neg(Z\i(iV, C)).CTi = neg(body(A^).CT;f body(C)).CTi = 
neg(body(iV).a]”^.CTi— body(C).CTi) = 
neg(body(7V)— body(C').CTi) C neg(body(iV)) and 
{l}.g_i C body(C").o;j = body(C").cri C body(Ai), according to 1. 

But this is impossible since body(Ai)n neg(body(iV)) = 0. 

In order to prove that C' is in mgdroiiC, N), it remains to demonstrate that: 
yn,D <oi C, D consistent wrt N-. not{C <oi D). 

Suppose (ad absurdum) that 3D s.t. D <oi C, D consistent wrt N and C <oi 
D. Then: 

C' <oi D^\D |<| C' 1 = 1 C I +1 ^1 7^ |<| C I (2) 

D<oiC^\D\>\C\ (3) 

Therefore, from (2) and (3), it results: \ D \=\ C |. 

By hypothesis, C is a generalization of D, but the only constant-free upward 
refinement of D having the same number of literals of I? is I? itself. Thus, 
C = D and this is a contradiction because C is inconsistent wrt N , whilst D is 
consistent wrt N by hypothesis. □ 

Proposition 14 easily extends to any linked literal I which introduces new vari- 
ables, due to negation-as-failure rule. Generally speaking, we can say that, given 
a clause C and an example N such that C is inconsistent wrt N due to some 
substitutions 9j, j = l,2,...,fc, the search for a complete and consistent hy- 
pothesis can be viewed as a two-stage process: the former stage searches into the 
space P - S, the latter into Sc. By means of Propositions 13 and 14, we are now 
able to formally define our novel downward refinement operator on the space of 
constant-free Datalog linked program clauses, denoted with Pq'P'^. 

Definition 15 pgg”® : £ ^ 2^, VC G £ : pg7"(C) = {C \ C = GU{I}, 

/ G (P-S)USc} 



Proposition 16. The downward refinement operator is ideal. 

Proof. 

(properness) 

pmns jg pj-Qpej. as a consequence of the definition of mgdroi{C, N) and of Propo- 
sitions 12 and 13. Indeed, PoF^^iC) C mgdroi{C, N). 

(local finiteness) 

The choice of I in pg’"'* is related to the construction of the sets P, S and Sc. 
Note that the number of substitutions s.t. a clause C 0o/-subsumes a clause D 
is finite and equal to 

I vars{D) \ x(| vars{D) \ —1) x ... x(| vars{D) \ — \ vars{C) \ -1-1). 

It is worthwhile to note that Sc is an intersection of a finite number of residuals, 
by definition. This number depends on the (finite) number of substitutions be- 
tween the clause C to be refined and the example N which causes the problem of 
inconsistency. In turn, each residual is a finite difference-set of literals between 
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two clauses. Thus, Sc is finite and computable. P is also an intersection of a fi- 
nite number of difference-sets between two clauses. This number depends on the 
number of substitutions between C and the positive examples already processed. 
Finally, the set S is the union of a finite number of difference-sets between two 
clauses. This number depends on the number of substitutions between C and 
N. Since these sets are both finite and computable, is locally finite. 
(completeness) 

Let C, D be two clauses s.t. D <oi C (C, D € £). In this case, there exist some 
substitutions cTj, j = 1, 2, . . . , s s.t. | Aj{D, C) \= r. 

For a given j G {1, 2, . . . , s}, let us consider the literals in C). Then, we 

may write D as follows: 

D = C.aj U {^1,^2, • ■ • , h}, where C), k = 1,2, . . . ,r. 

We can build the following set of clauses: 

{Fh}h=o,i,....r, where Fh = C.aj U {^1,^2, ■ • for h = 0,l,...,r. 

Note that: Fq = C.Uj and F^ = D. 

In order to demonstrate the completeness property, it is to be proven that: 

Vfc = 0, 1, . . . , r - 1 : Ffe+i G pg'r 

For a given A: G {0, 1, . . . , r— 1}, let us consider Fk+i = C.CTj U{Zi, Z 2 , . . . , h+i} = 
Fk U {Zfc+i}. 

Let us suppose now, without loss of generality, that the database of the available 
positive examples is made up of the set {Pi, P 2 , . . . , Pn} and that Nk is the 
negative example which calls for the downward refinement operator ■ 

If Ik+i is a positive literal in the body of Ffe+i, then, by looking back at the 
definition of , we note that we are able to build the sets P and S s.t. 
Ik+i G P — S, and then Fk+i = U {Zfc+i} G pQ)(‘‘{Fk). In fact, the set P 
depends on the positive examples {Pi, P 2 , . . . , Pn}, and the set S depends on Nk, 
which can be chosen in such a way that Ik+i ^ Am{Nk, Fk) for each substitution 
7m between Nk and Fk causing Fk to be inconsistent wrt Nk- 
If Ik+i is a negative literal in the body of Fk+i, then by definition of Pq"^^ , we 
are able to build the set S^, which in turn depends on Nk and Fk, in such a way 
that Ik+i G neg{ Ajn{N k, Fk)) for each substitution 7^ above. □ 

The ideality of the refinement operator pg’"'* is owed to the peculiar structure 
of the search space when ordered by the relation <01 ■ In the same search space 
ordered by 0-subsumption, an ideal refinement operator does not exist m 

7 Application to Document Understanding 

We implemented the operators described in Sections 5 and 6 in an incremental 
system, called INCR/H, in order to compare the performance of Datalog theo- 
ries synthesized incrementally to those synthesized in batch mode. Experimental 
results obtained by running the learning system FOCL are available in [Ej. 
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lo^ic j:yp«^XLd«r{p2) > 
part_c<(d 1^2)^ 

bgw _tvp<-r«««iv«»f p3)_, logic_typ<-g itfigLed(p4), logk_typ<-logo(p^j 
b^JV^«*^(«(p6)^lo^k_(yp«-r«{(p7)^ bgi«j:vT<'U&AgL«d(p8)^ 
li>gic_typ<-g a$iga«d(p9)j logk_typ<-<j ii5ig&«d(plCi), bgic j:vp«-*J&5i^d(p 11)^ 
widit}('m«diiiik(p2)^<Aril^--iXk«diu&>lar^(p0)^ widit)r«iball«5t(p4)^ 
vril0iiii«diuixk(p^^ widt}nxkcdijm^i&aU[p6)^ Viridt}raxL<dium^r^(p7), 
vodt)t^r^^v<ry-br^(p8)^ widtJ*^rjrv«ry“b»^(p9)^ vridtlwMdii tt-brg«(plCOj 
vrilOi-«aaUe$i(p 11)^ 

K<ig}<-m<dium-br^«(p2),K<i9}<-«i&aU[p3)^ }tti^Kt-$iulI««t(p4)^ 
)Kig)4-\^»y-siLiU(p5), hfii^Kt-v«Ky-v«Ky^ttall(p6),K«ig)4-^Ky-\«ry-#ia4U(p7)^ 
}i<ig}t-5i&alb$i(p@)/ )«i$ht-br^(p9)^ h£igKt-m«dij&-5iikaU(plO)^ 
}«i^}it-si&alU5t(pl i)^ 

typ*-<«:«(p2);,<yp<-<«xJ(p3)^ typ«-<«**(p4)_,<yp<-pic«ur«(p5)^^'yp<‘^*^P^)> 

(^«^xl(p7)_, typ«H« (p8), (T/p«^xl(p9[|_, (yp«i&ixtur«(p 10)^ typ«^« xJ(p !!)_, 
posidoixk^^l<^((p2)^ positioak^p(p3), pondoiL^p-lc(^p4)^ pondooL^p-lct^pS)^ 
pondoak-^p-ti9hi(p$)/ po$idoiik-<c>p(p?), poAtic«-<«zkbe»{p@)^ po$itio3k-««xi<i^p9)^ 
pc«ibft-Vot(o&-tig)t(plO)^ pontio^-'botto&-kfi(pll), 
ottj;op(p6 oaj;op(p6 jp6)j, ^»._ti>p(p7,p8)^ ©n_toi(p9jp 10)^, 
to_iigh(i2j4),to_>^)»(l5^7), 

&lig&£d-lo0k-<olu&&f(p2^p5)^ aligud-oftl^bv<^r-rov/(p6 ^pT)^ 
ftl%scd^b}y^kft^cil^p4j^7)^ ali^iLcd>l>ot}rrow$(p7 
ftl%Ecd^&}y-ngh^ol(p8jp9)^ aljgud^aJ7-«jpp«r-row(p4^p3) 

(b) 



Fig. 1. (a) A single-page A4 Olivetti letter, (b) A positive example of sender 



Several experiments were carried out in the area of electronic document under- 
standing. For all the experiments, we considered a database of 30 single-page 
A4 documents (Olivetti letters), in each of which we labelled the layout compo- 
nents with the corresponding logical meaning (logotype, signature, body, reference 
number, sender, date, receiver) in order to obtain the clauses representing the 
examples. Each labelled object is a positive example for the component it is 
associated to and, at the same time, is a negative example for all the other com- 
ponents. Thus, each document generates a set of examples. A positive example 
of sender, generated by the document in Fig. la, is shown in Fig. lb. An example 
of a Datalog theory made up of just one hypothesis for the concept receiver is: 
logic-type — receiver(X) :- height — very — small(X) ,type — text(X). 
logicJ,ype—receiver(X) :- tojrightiY, X), aligned— only— middle— column(Y, Z). 
The experiments have been replicated 10 times, by randomly splitting the data- 
base into two subsets, namely a learning set (with size 20) and a test set (with 
size 10). In turn, the learning set has been subdivided into training set and tun- 
ing set, with size 5 and 15, respectively, and has been exploited in two distinct 
ways, according to the mode - batch or incremental - adopted to synthesize the 
Datalog theories. In the former case, this set has been entirely given to the batch 
system INDUBI/H 0 as its input. In the latter case, only the training set has 
been used by INDUBI/H in order to produce the set of hypotheses representing 
the first version of the theory; then, the tuning set has been exploited to correct 
incrementally both omission and commission errors, if any, through the refine- 
ment process described in Sections 5 and 6. The test set has been exploited to 
evaluate the error rate of the inferred theories on unclassified components. 
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Learning set 
(batch) 
#pos+#neg 


Training set 
(incr.) 
#pos+#neg 


Tuning set 
#pos+ #neg 


Test set 
#pos+ #neg 


logotype 


20+220 




15+165 


10+110 


signature 


m221 


44^56 


15^^165 


10+110 


body 


20+220 


&I-55 


154^165 


10+110 


ref 


31+209 


&f52 


23^157 


15t1 05 


sender 


23+217 


6^54 


17+163 


12+1 08 


date 


24+216 


64^54 


18+162 


12+1 08 


receiver 


24+216 


6f54 


l&^^162 


12+1 08 



Table 1. Sizes of the example sets in the experimentations concerning the prob- 
lem of document understanding 



Table 1 reports the information concerning the experimental setup, i.e. the mean 
number of positive and negative examples used by the different phases. Note that 
many documents generated two or more instances of the concept ref, thus it has 
31 positive examples rather than 20 (the number of documents used for the 
learning set). Fig. 2 shows the results of the comparison between the theory syn- 
thesized in batch mode and that obtained incrementally, as concerns the error 
rate on the test set and the computational time taken by the system to produce 
the theories. Specifically, the batch time refers to the training set for the batch 
mode, while the incremental time is computed as the sum of the computational 
time concerning the training set for the incremental mode plus the time concern- 
ing the tuning set. Values concerning the error rate are percentages, while those 
concerning the time are expressed in seconds. All the reported figures refer to the 
average on the ten replications. Table 2 illustrates the results of two statistical 
methods exploited to evaluate the significance of the observed differences as to 
the error rate and time for each type of logical label, namely the paired t test 
(parametric) and the Wilcoxon test (non parametric). For a thorough explana- 
tion of the two statistical tests, refer to m- The t test has been performed as 
two-sided test at a 0.01 level of significance, while the Wilcoxon test both at 
0.05 and at 0.01 level. Each entry in the table contains the t value and the cor- 
responding significance value for the t test, the W value and the corresponding 
critical value, along with the sample sizes, for the Wilcoxon test. 

It is well-known that the t test requires that the population data be normally 
distributed, when used with small sample sizes (less than 30). Conversely, the 
Wilcoxon test does not make any assumption on the distribution of the popula- 
tion data. In our setting, the sample size is 10, i.e. the number of replications, 
thus the t test might seem to be unsuitable. However, we performed preventively 
a normality test in order to establish whether the population data are normally 
distributed. Such a test allows us to state that the population is normally dis- 
tributed at a 0.01 level of significance. 
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Fig. 2. Experimental results obtained with INCR/H 



Fig. 2 shows that the batch theories outperform the incremental ones for all 
the classes, with the exception of sender and date, as regards the error rate; on 
the contrary, as to the computational times the incremental system outperforms 
the batch one in all cases. However, the t test reveals no statistically significant 
difference between the error rates (clear boxes in Table 2), but a great difference 
in the case of computational time (shaded boxes). According to the Wilcoxon 
test the results are the same. 

8 Conclusions and Future Work 

In this paper, we presented a logic framework for the incremental inductive 
synthesis of Datalog theories. It allows us to define algorithms for abstract di- 
agnosis and debugging of incorrect theories, which strongly rely on effective and 
efficient (ideal) refinement operators. These algorithms have been implemented 
in a new version of an incremental system for inductive synthesis of Datalog 
theories, called INCR/H, whose performance has been successfully tested on the 
real-world problem of electronic document understanding. 
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Table 2. Statistical results 



Future work will aim at integrating INCR/H in the learning server component 
of a prototypical intelligent digital library service, called IDL. In IDL, document 
classification and understanding play a key role in the process of information 
capture and semantic indexing of the stored documents [E]. 

Another extension of INCR/H concerns the possibility of dealing with stratified 
theories (with recursion). 
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Abstract. In this paper, we reconsider the problem of specialising the 
vanilla meta interpreter through fully automatic and completely general 
partial deduction techniques. In particular, we study how the homeo- 
morphic embedding relation guides specialisation of the interpreter. We 
focus on the so-called parsing problem, i.e. removing all parsing overhead 
from the program, and demonstrate that further refinements in the con- 
trol of general partial deduction are necessary to properly deal with it. In 
particular, we modify local control on the basis of information imported 
from the global level. The resulting control strategy, while remaining fully 
general, leads to excellent specialisation of vanilla like meta programs. 
Parsing is always specialised, but - appropriately, as we will show - not 
always completely removed. As a concrete application, we subject an ex- 
tended vanilla meta interpreter capable of dealing with compositions of 
programs to our techniques, showing we equal or surpass results obtained 
through a more ad hoc approach. 



1 Introduction 

Writing meta interpreters is a well-known technique to enhance the expressive 
power of logic programs (see e.g. Q O])- However, the resulting interpreta- 
tion overhead considerably slows down program execution [0. 

A natural approach to solving this efficiency problem consists in specialising 
the interpreter with respect to a given object program 0 thus removing 

the overhead by performing all interpretation of the object program (in essence 
parsing the object program) during specialisation. Fully achieving the latter goal 
however, turns out to be a non trivial task EHIEZ10E] Satisfying results could 
often only be obtained at the cost of using not fully automatic and/or ad hoc 
techniques EH- In a recent paper i], Brogi and Contiero address specialisation 
of a non-ground vanilla-like meta interpreter extended in order to 

deal with program compositions 0 0 0- Again, the interpretion overhead is 
removed by an ad hoc specialise!', specifically constructed to handle the extended 
interpreter. 
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On the other hand, research on partial deduction of logic programs meanwhile 
resulted in fully automatic and completely general specialisation techniques, not 
requiring any specific a priori knowledge about the kind of programs to be spe- 
cialised, nor any help from the programmer (e.g. UniEllIH])- 

The key idea in automatic (on-line) partial deduction consists of building a 
number of different SLD-trees that together cover the complete computation of 
an atomicQ goal G in a program P: To that extent, the control of on-line partial 
deduction is conceptually divided into two levels ini ES]: the first one, often 
referred to as the local control level, deals with constructing a finite, possibly 
incomplete SLD-tree for a certain atom. Specialised clauses are produced from 
such a tree, one per branch, taking the root as head and the leaves as body. The 
global control level, on the other hand, concerns the set of atoms for which an 
SLD-tree is built. It decides on the amount of poly variance: how many different 
specialised versions will be produced for a given predicate definition? The global 
set must be kept finite, precise and correct (i.e. satisfying the conditions in m)- 

In this paper, we pinpoint a remaining shortcoming of this control scheme 
when specialising vanilla like meta interpreters. We show that the problem can 
be solved by modifying the local control level such that it takes information from 
the global level into account, and we present a concrete refinement of the local 
control that is capable of achieving excellent results when specialising this sort 
of interpreters. 

The outline of the paper is as follows. In Section 0 we recapitulate the crucial 
aspects of the automatic partial deduction strategy we use. Section Elconsiders 
specialisation of the vanilla meta interpreter and constitutes the main body of 
this paper. Subsequently, in Sectional specialisation of the program composition 
interpreter in |0 is addressed. We conclude with a discussion of our results and 
the ensuing plans for further research in Section 0 Throughout this paper, we 
only consider definite logic programs. 



2 Automatic Partial Deduction 

In this section, we briefly describe the essential ingredients of the partial de- 
duction method we use in this paper. Experiments were conducted using the 
ECCE automatic partial deduction system Further details on correctness 
and control of (on-line) partial deduction can be found in P2] and e.g. pimiHimi] 
respectively. 



2.1 Local Control 

Local control essentially consists of an unfolding rule, through which an SLD-tree 
is built for a certain atom. As a starting point for local control, we use the one 
proposed in Section 4.2 of El, adapted from EOIIIHI- The following definitions 
are taken from m 

^ G can be supposed atomic without loss of generality: If G =<— Ai,...,A„, one 
enhances the program with a clause A ■<— Ai, . . . , An. 
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Definition 1. Given an SLD-tree r. Let G =<— A . . . A An be a goal in r, 
Ajn the selected atom hi G, A ^ A\ f\ . . . f\ A'f. a, clause of P such that 9 is an 
mgu of Am and A. Then in ^ {Ai A ... A A ... A A ... A for each 

i G A'^9 descends from Am, and for each i G { 1 , . . . , n}\{m}, Ai9 

descends from Ai. If A! descends from A, and A" descends from A', then A" 
also descends from A, i.e. the relation is transitive. 

We define the homeomorphic embedding relation < as follows. As usual, ei ^ C 2 
denotes that 62 is a strict instance of ei. 

Definition 2. Let X, Y range over variables, / over functors, and p over pred- 
icates. Define < on terms and atoms: 

X<Y 

s < f{ti, . . . ,tn) s < ti for some i 

f{si, ... ,s„) < . . ,tn) ^ Si <ti for all i 

p{si, ...,Sn)< p{ti, ...,tn) Si <ti for all i and p{ti, . . . ,t„) p{si , . . . , s„) 

For atoms A,B: A<\B lA A<B and A^ B (where Aks B denotes that A and B 
are variants) . The extra condition in the fourth line was first introduced in [I iSj 
(Definition 15). It enables a more refined treatment of variables: Since p{X, Y) A 
p{X, X), p{X, X) ^p{X,Y) whereas p( A, y)<p(A',A') (since obviously p(A, F) 
is not a (strict) instance of p{X, X): p{X, X) 7 ^ p{X, F)). 

Definition 3. An atom A in a goal at the leaf of an SLD-tree is selectable unless 
it descends from a selected atom A', with A' < A. 



Definition 4. The unfolding rule U<\ unfolds the left-most selectable atom in 
each goal G of the SLD-tree under construction. If no atom is selectable, no 
further unfolding is performed. 

The intuition behind C/<| is that every atom in a goal of the SLD-tree under 
construction will be unfolded (in left to right order), unless it descends from an 
atom which it embeds. The use of the <-relation guarantees termination 

Independently of whether it is selectable according to definition 0 often we 
will denote the selected atom (under any unfolding rule) in a goal G by s(G), 
leaving the unfolding rule implicit. For a program P and a goal G, tjj{P, G) will 
denote the SLD-tree built by unfolding rule U for G in P, often simply written 
as tu{G) or tq. Given an SLD-tree r, AL{t) denotes the set of atoms in its 
leaves. 

2.2 Global Control 

At the global level, we start out with the atom in the goal G. For that atom, 
an SLD-tree is constructed according to t/<|. To ensure correctness m while 
producing a maximally precise partial deduction, for atoms appearing in the 
leaf of a constructed SLD-tree, a fresh such tree needs to be built when there is 
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not yet one with (a variant of) the given atom as its root. In this way, a set of 
partially deduced atoms and associated SLD-trees is produced. Without further 
measures, this set will often expand infinitely. Therefore, it is necessary to apply 
appropriate generalisations, replacing two or more atoms by their most specific 
generalisation (msg). This process can be made maximally precise through or- 
ganising the set in a global tree structure, denoted by ^(P, G). Before explaining 
how exactly this tree is constructed, we need the following notions which we here 
only describe informally: 

— A characteristic tree f is an abstraction of an SLD-tree r, that registers 
which atoms have been selected for unfolding and which clauses were used 
for resolution when building r. 

— A characteristic atom is a couple (A,ta) consisting of an atom A and the 
characteristic tree of its associated SLD-tree ta- 

Next, we extend the embedding relation < to characteristic atoms. This can 
be achieved by defining a term representation of a characteristic tree and subse- 
quently using < with this term representation m-- To that extent, a total map- 
ping, denoted by [.] from characteristic trees to terms (expressible in some finite 
alphabet) can be defined such that [.] is strictly monotonic and msg{TAi,TA2) 
is defined when < \ta2 \ ■ Informally, \tai~\ ^ [^^2! means that ta^ can be 

obtained from by “wiping out” some sub-branches of and msgijAi ) ^^2) 
is the common initial subtree of t a^ and t A2 ■ For more precise definitions of the 
above concepts, see Enmni- 

Definitions. Let (Ai,tai), {A2^ta 2) be characteristic atoms. We say that 
(A2,ta2) embeds {Ai,tai), if and only if A\ < A2 and \TAf\ ^ [^. 421 - 

Initially, ^(P, G) consists of one node: the root node G. Now, for an atom A 
in a leaf node of G{P, G), an SLD-tree ta is built according to the specific local 
control strategy used. For each atom B G AL{ta), a new node in G{P,G) is 
created as a child of the node A unless there is already a variant of B present in 
the part of G{P, G) constructed so far. However, to ensure termination, if B has 
an ancestor B' in G{P,G) such that (B,tb) embeds {B',tb'), the subtree with 
root B' in G{P,G) is replaced by the single node {msg{B' , B),msg{TB' ,^ b))^ 

By using embedding on characteristic atoms, the decision when to gener- 
alise is based not only on the syntactic structure (the atoms), but also on their 
specialisation behaviour (the characteristic trees), which ensures a much better 
control of polyvariance pn]iTC|rroj. 

Below, we will often refer to a node G in a global tree while we actually 
intend to name the atom in such a node. The intention will always be clear from 
the context, and, as a result, notation will be more simple. 

^ Actually, instead of just inserting the new node in the tree, one reiterates the process, 
first checking for variants and embedded ancestors. 
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2.3 Code Generation 

Consider a program P, a goal G and the global tree G{P, G) as a result of the 
partial deduction of P w.r.t. G. Then consider a node Go € G{P, G) with the as- 
sociated SLD-tree . For each leaf L of , consisting of the atoms Ai,. An 
a resultant clause is generated having the following form: G^O ^ 
where 9 is the substitution built along the branch Gq . . . ^ A\, . . . An- 

With each node Go G G{P,G) a renaming pco{X) is associated, where pcg 
is a unique predicate name, and X is the vector of free variables of Go- Then 
each resultant clause G, defined as GqO <— Ai, . . . , is renamed to pgo^ ^ 
PGi<t>i, ■ ■ ■ ,PGn4>n where Vi G Ai ^ Gi4>i for a substitution <f>i such 

that ^G' G G{P, G) \ AiK. G'4>' for a substitution cj)' and Gi -< G' . 

With PD{P, G) we denote the collection of renamed resultant clauses consti- 
tuting the final partial deduction of P w.r.t. G using the techniques as introduced 
above. 



3 Behaviour of C/<| when Unfolding Meta Interpreters 

In this section, we investigate automatic partial deduction of non-ground, vanilla 
meta programs, using the general technique presented in Section 0 Let us first 
repeat the definition of the well-known vanilla meta interpreter 

Definition 6. The vanilla meta interpreter V: 

(1) solve{true) . 

(2) solve{{A, B)) <— solve(A), solve(B). 

(3) solve{H) <— pclause{H , B) , solve{B) . 

As usual, an object program will be represented as a database of pclause- 
facts. Omitting the formal definition, we just include an example. 

Example 1. Consider as object program P, reverse with an accumulating pa- 
rameter, where a type check on the accumulator is added [1^, and its meta 
representation G{P). 

reverse{L, R) ^ rev{L, [], R). 

rev(W,L,L). Zs([]). 

rev{[X\Xs],L,R) ^ ls{L), rev{Xs,[X\L], R). Zs([A|A,]) ^ ls{Xs). 

pclause{reverse{L,R), rev{L, [], R)). 
pclause{rev{\\, L, L),true). 

pdauselrev{[X\Xs], L, R), {ls{L),rev{Xs, [X\L], R))). 
pclause{ls{\\) , true) . 
pclause{ls{[X\Xs]), ls{Xs)). 

The combination of the interpreter, TV, and the “encoded” object program, 
C{P), will be denoted by Vp. 
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3.1 Removing Interpretation Overhead 

For an object program P, we call meta structure all program structure in Vp that 
can never appear in arguments in Pi In concrete terms, this means the constant 
true, the functor , /2, and all functors representing object level predicates. 

A crucial aspect in the specialisation of meta interpreters is removing the 
handling of meta structure from the program, by performing all parsing oper- 
ations (the operations that explicitly deal with this structure) at specialisation 
time. The problem of achieving this is often referred to as the parsing problem 

Definition 7. For any program P and goal G, the residual program, PD(Vp, G) 
is called meta structure free if for each renamed resultant clause 
PGo^ ^ PGi4>i-,- ■ ■ -.PGjfn e PD{Vp,G) 

9,4>i, . . . ,4>n contains no meta structure. 

We will show that by extending our unfolding rule, it can be proven that for 
any program P and goal G =<— solve{p{X)) where p denotes a predicate in P 
and X a sufficient number of distinct variables filling up its argument positions, 
PD{Vp, G) is meta structure free El 

The following results are fairly obvious: 

Proposition 1. For any Vp, atoms with pclause as predicate are always un- 
folded by U^. 



Corollary 1. For any P and G, G{Vp,G) contains only solve atoms. 

Obviously, in case no generalisations occur while constructing G(Vp,G), for all 
Go € G(Vp, G) and for all A G AL{tgo) there exists a G' G G{Vp, G) such that 
A « G' . Since the same holds for the atom in G, and solve(X) will not appear 
in any SLD-tree, code generation will produce a meta structure free residual 
program. 

Moreover, suppose Gi, G 2 G G{P, G) are generalised such that Gi = msg{G\, 
G2)9 i, G 2 = msg{G\, G2)02 and neither 9i nor 02 contains meta structure. Since 
during code generation the only atoms A that are mapped on msg{G\, G 2 ) are 
variants of Gi , G 2 or their msg, the residual program will again be meta structure 
free. We illustrate this with the partial deduction of Example Q 

Example 2. P and G(P) are as in Example d PD{Vp, solve{reverse{L, R))) 
then looks as follows: 

® For more formal details, see m- 

If G =<— solve{X), the definition of the predicate, created from this root, will 
contain meta structure, in order to parse the top level goal. Although we do not 
consider this top level parsing to be a problem, we restrict the form of G in order 
to simplify the formulation of the theory and shorten the examples. Note however, 
that this restriction does not diminish the generality of our technique. 
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d3([])^ 

d3([Xl|X2])^d3(X2). 



rfi([],D)- 

dl([Xl|X2],X3) ^d2([],X2,Xl,X3). 
d2([],[],Xl,[Xl])^ 

d2([], [Xl\X2],X3,X4) ^ d2{[X3],X2,Xl,X4). 

d2([Xl|X2], [],X3, [X3,Xl|X2]) ^ d3{X2). 

d2{[Xl\X2],[X3\X4lXs,X6) ^ d3{X2),d2{[Xs,Xl\X2],X4,X3,X6). 

3.2 In Case Generalisations Take Place 

U<i (and similar unfolding rules [Z3) performs well when predicate arguments 
either shrink or grow throughout the unfolding process. Unfolding is allowed as 
long as information is consumed and appropriately halted when such is no longer 
the case. 

Problems however arise for predicates handling fluctuating structure(s): struc- 
tures that can grow, but also shrink between successive recursive calls. Most 
natural logic programs do not contain such predicates, but meta interpreters do. 
This is one of the main reasons why it is notoriously difficult to handle them 
well in automatic, general partial deduction. 

Consider a clause of the following form: 

p{[X\Xs],A)^a{X),p{X,,[X\A]) 

If somewhere during the process, solve{p{X, A)) in the global tree gives rise to 
solve{{a{X'),p{Xs,[X'\A]))), homeomorphic embedding will be detected be- 
tween the two atoms. We obtain solve{X) after generalisation of solve{p{X, A)) 
and solve{{a{X'),p{Xs,[X'\A]))). The problem is that the p-functor and all 
structure surrounding the embedded term are lost in the generalisation. Since 
for this generalised atom, a new SLD-tree will be built, this would result in a 
residual predicate handling (parsing) this meta structure. 

Now, if solve{{a{X'),p{Xs, [X'|A]))) was unfolded (locally) by one step 
further, the atoms solve{a{X')) and solve{p{Xs, [X'|A])) would be brought onto 
the global level, and the generalisation would occur between solve{p{X , A)) and 
solve{p{Xs,[X'\A])), leading to solve{p{Y, Z)) and leaving solve{a{X')) as it 
is. In this case, a generalisation still occurs, but less structure (and no meta 
structure) is lost by it. So, when unfolding the call solve{{a{X'),p{Xs, [X'|T]))) 
(the clause unifying with it only performs parsing: it splits the conjunction), the 
SLD-tree ends in a leaf of which the atoms are better suited to be put on the 
global level from a viewpoint of creating a meta-structure free residual program. 

In [1 tij , it was noticed that always unfolding such parsing calls seems a good 
idea, although no indication was given how to incorporate this idea in a general, 
automatic partial deduction technique. In subsection I, 3.. 31 we argue that, if we 
aim at obtaining a high degree of specialisation, it is often a better idea not 
to unfold parsing calls, at the cost of obtaining what we will call specialised 
parsing. We will therefore aim at further unfolding parsing calls only if they lead 
to generalisation. To that end, we modify our unfolding rule such that it takes 
global information into account and tries to avoid generalisation (or minimise 
the structure lost by it) when this can be safely achieved through some extra 
unfolding. 
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First, we introduce an unfolding rule that will unfold an atomic goal G =*— Ac 
only if it can deterministically be unfolded into a set of atoms A such that for 
every atom A G A : A<1 Aq- If this is the case, it means that an atom (predicate 
call) can be unfolded into several new calls to the same predicate, each with less 
structure in them. 

Definition 8. The unfolding rule Uext is wplied to an atomic goal Gq as fol- 
lows: If through (left-to-right) deterministic unfolding of Go, a derivation 
Go...Gn can be constructed such that G {0...n},i < j: s{Gj) descends 
from s{Gi), s{Gi) < s{Gj) and Gn =<— A\, . . . ,Am where \/i G {1 . . .m}: Ai < 
Go, then Uext{Go) = Gq . . . G„ , where Gn is the first such goal found, else 
Uext{Go) = Go- 

We will try to take fluctuating structure into account by merging C7<| and 
Uext- an SLD-tree, r, is built as usual, using [/<, but when an atom A G AL(t) 
would cause a generalisation if introduced onto the global level and if Uext{A) yf 
A, T is extended with the path Uext{A). 

Before presenting our extended unfolding rule, U^, we introduce some extra 
notation: Vext{Go) denotes the set of variables of Gq, "denoted by Vars{Go), that 
are instantiated by Uext in case Uext{Go) Gq. 

Algorithm 

Input: a program P, goal G, a global tree Q(P, G) with A a leaf of Q{P, G). 

Output: SLD-tree t^+{A). 

Init: i <— 0, To <— 0, Ti <— Tu^ (^), Let Anc{A) be the ancestors of A 

{A included) in Q{P,G). 
while Ti+i A Vi do 
i <— i -I- 1 

If 3 a leaf L =<— C, B, C' of n with B an atom and C, G' (possibly empty) 
conjunctions of atoms snch that 3B' G Anc{A) where 
B' < B, Uext{B) A B and Vext{B) n {Vars{C) U Vars{C')) = 0.®(*) 
then Ti+i ^ Ti Wl Uext{B) 
else Ti+i <— Ti 
end while 

Ty+ (^) ^ Ti 

where t{A) tUz, ^ Go . . . Gn is defined as extending the derivation 
^ A ^ L G, Go, G' in t{A) into 
^ A...^ L=^C,Go,G' ... ^G,Gn,G'. 

Theorem 1. The algorithm terminates and Tjj+{A) is an SLD-tree for A. 

Now, we can formulate an important result: 

Theorem 2. For any program P, goal G =<— solve{p{X)) with p a predicate in 
P, using the global control techniques described in Section IB and the enhanced 
unfolding rule U^, PD{Vp, G) is meta structure free. 

® using a look-ahead 

® This condition is necessary for the present proof of Theorem Q (see Appendix El). 
We are currently investigating to what extent it can be relaxed. 
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3.3 Specialised Parsing 

Opposite to observations in m, where it is argued that (parsing) calls should 
always be unfolded, as well as will often stop unfolding at such calls: 
solveiC) where C is a meta representation of an object level conjunction. During 
code generation, a new predicate will be made from Tso;„g(( 7 ), carrying all the 
(object) information of the conjunction. Consider the following example: 

Example 3. P\ p([]) ^ 

p{[X\Xs])^q{X),p{X,). q{X)^q{X). 

Figure Q shows the most interesting branches of the SLD-trees generated 
during derivation of PD{Vp, solve{p{X))) . If code is generated, by renaming G1 



Gl:^ solve(p(X)) G2:^ solve((q(X), p(Xs))) 

I X=[Xl|Xsl] I 

solve((q(Xl),p(Xsl))) solve(q(X)), solve(p(Xs)) 

solve(q(X)), solve(p(Xs)) 

I Xs=[X2|Xs2] 

solve(q(X)), solve((q(X2),p(Xs2))) 

Fig. 1. Branches of the first two SLD-trees constructed during generation of 
PD{Vp, solve{p{X))) 

to di, G2 to d 2 and d^ is the specialised predicate for solve{q{X)), we get the 
following program: 

di([])- d2{X,l]) ^ ds{X). 

di{[x\Xs]) ^ d2{x,Xs). d2{x, [y|y.]) ^ d3(x),d2(y,y). 

daiX) ^ dsiX). 

Note how d 2 carries out “specialised”, i.e. meta structure-less, parsing. If we 
unfold G1 one step further, using V’s parsing clause (2), we get the following 
program (renaming stays the same, although we have no predicate d 2 now). 

dl([])^ d3{X)^d3{X) 

di{[X\Xs]) ^ d3{X),di{Xs) 

This gives an indication that always unfolding parsing calls might be neces- 
sary to obtain a program that is fully equivalent to the original object program. 
On the other hand, if we aim at obtaining a large degree of specialisation, it 
might be worthwhile to stop unfolding at a parsing call, especially when infor- 
mation propagation in the atoms of the object conjunction is involved. Consider 
the following program P: 

Example 4- a{mammal) ^ b{cat, mammal) ^ 

a{X) ■!— b{X,Y),a{Y). b{dog, mammal) ^ 

p([X|Xs]) ^ a{X),p{Xs) b{eagle,bird) ^ 
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Using partial deduction of solve{p{X)) returns the following program Pi: 
di{[X\Xs]) ^ d2{X),di{Xs). 

d 2 {mammal) ^ d 2 {cat) ^ d 2 {dog) <— 



which is considerably more specialised than P. Always unfolding the parsing calls 
during specialisation of Vp, on the other hand, would yield a program essentially 
equal to P. However, if Vp is specialised using C/< without the extension Uext, 
due to a generalisation, a less specialised program is obtained. 



di{p{[X\Xs]) ^ d3{X,Xs) 
di{a{X)) ^ d2{X,Y) 
di{a(mammal)) ^ 
di{b{cat, mammal)) ^ 
di{b{dog, mammal)) <— 
di{b{eagle,bird)) <— 



d2{cat) <— 
d2{dog) ^ 

ds (mammal, [X\Xs]) <— di{X,Xs) 
d3(X, [Y\Ys]) ^ d2(X),d3(Y,Ys) 



So, contrary to what is generally believed, unfolding parsing calls during partial 
deduction does not always lead to optimal results. Unfolding some of the parsing 
calls, however, seems appropriate. This leaves us with several open issues, to 
which we will briefly return in Section 0 



4 Specialising an Extended Vanilla Meta Interpreter 

In pi 2]) Brogi and Contiero discuss specialisation of the following extended 
vanilla meta interpreter, adapted here to our notation: 

demo(E,true) <— 

demo(E, (A, B)) <— demo(E, A), demo(E, B). 

demo{E, El) <— clause(E, H, B),demo(E, B). 

clause(union(Ei, E2), H, B) <— dause(Ei, H, B). 

clause(union(Ei, E2), H, B) <— clause{E2,H,B). 

clause(inters(Ei, E 2 ), H, B) <— clause{Ei,H, B),clause(E 2 , H, B). 

clause(enc{E),H,true) <— demo(E,H). 

clause(pr(P), H, B) <— statement(P, H, B). 

The clause predicate implements operations needed for program composition: 
union, intersection and encapsulation. Single object programs are represented 
by statement(P, H , B) facts, where P is the program name, H the clause head 
and B the clause body. An elaborated discussion of these composition operators 
can be found in pmoiisi 

In the following, D will denote the extended vanilla interpreter above. The 
combination of D and a fully instantiated composition of object programs e will 
be denoted by Z?e- 

In pj, a specific program specialisation technique is developed in order to deal 
with these program compositions. A thorough discussion of the specialisation 
method is outside the scope of this paper, but it is noteworthy that the method 
relies heavily on knowledge about D. In case no enc operation is present in e, 
specialisation of will lead to a program where all manipulations of e are 
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removed. It is also pointed out that this program can be transformed into an 
equivalent object program. No indication, however, is given how to automate 
this transformation, possibly also relying on information about D. In case e 
contains an enc operation, the method of [Q removes all explicit handling of 
e, but the resulting program is, in essence, a set of different solve vanilla meta 
interpreters, each with an associated pclause database. Thus no overhead due to 
the interpretation of a single program is removed. Also, since the object level goal 
is not taken into account during specialisation, no specialisation at the object 
level can be achieved. 

An interesting question is how our general, automatic, partial deduction tech- 
nique handles specialisation of Dg. Instead of giving a full formal comparison, 
we present some important observations. Concrete examples and experimental 
results can be found in Appendix E As these examples show, our method is 
capable of achieving object specialisation as well. 

Theorem 3. For any program composition e, PD(De, demote, X)) contains no 
meta structure concerning e. 



Theorem 4. For any program composition e not containing an enc operation, 
PD(De, demo{e,p{X))) with p a predicate in e, contains no meta structure. 



5 Discussion and Further Work 

Although in this paper, we did not elaborate all details of the partial deduction 
method used, we would like to stress some important facts. The partial deduction 
method presented in this paper is a very general one, not specifically tuned to 
specialisation of V. The combination of U<j with the global control techniques 
gave satisfying results in previous contexts (see e.g. [0]Tl. If removal of structure 
is an important goal, it is necessary not to weaken the variant check on the global 
level: It should e.g. not be replaced by an (otherwise correct) instance check. 
Also, the use of < on atoms instead of characteristic atoms, is too weak. In some 
examples (e.g. Example 0, the use of characteristic atoms was a key factor in 
obtaining object specialisation. On the other hand, experiments indicated that 
the way in which a characteristic tree is imposed upon a generalisation [ES]E2] 
should be refined through further unfolding the greatest common initial subtree. 
Always simply imposing the latter gives rise to unwanted clause atoms in the 
global tree. 

In [EZJ it is argued that if partial evaluation (PE) has to be able to spe- 
cialise meta interpreters as effectively as specialisation by hand, numerous en- 
hancements should be incorporated into a basic PE system. Among these are 
automatic control of termination and the ability to handle more transformations 
(such as folding) . The most vital feature of a PE system [^| however seems to 
be its flexibility in deciding where to apply which particular transformation. In 
this paper, we made automatic partial deduction more “flexible” in this sense, 
by basing decisions it must take on more information. 
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Other approaches to specialising this kind of meta interpreters rely on ad- 
ditional information about which atoms should be unfolded mini- Since this 
information has to be provided by the programmer, automation of the proposed 
techniques is problematic. In automatic specialisation of meta interpreters 
is investigated, based on the notion of well-founded unfolding. Although good 
results are obtained on several examples, some issues in making it a generally 
applicable technique are still open. 

The loop prevention mechanism used in the partial evaluator Mixtus m 
is based on comparing terms by comparing their outermost functors up to a 
certain (ad hoc) depth and subsequently using the termsize function to determine 
whether there is a danger of looping. While this mechanism performs well on 
most simple examples, setting the system variables like max-depth may be non 
trivial in the case of specialising more complex meta interpreters. 

The effect of always unfolding parsing calls, as described in can be 
achieved by altering U^: instead of only using Uext on atoms that would cause 
a generalisation when brought in the global tree, Uext could be applied to every 
atom that is brought in the global tree. On the other hand, we demonstrated 
that keeping the object atoms together in one solve atom can cause more spe- 
cialisation to be achieved. In the near future, we will investigate to what extent 
similar effects can be obtained through conjunctive partial deduction iniini. 
Keeping the object atoms together in one solve atom often results in what we 
called specialised parsing. The question whether this is good or bad is not easily 
answered, since besides ’parsing’, unifications on different head arguments are 
often involved, indicating that the performance of the specialised program can 
be system dependent. 

As several experiments showed, generalising solve{C) with C a meta repre- 
sentation of an object conjunction, and further processing the generalised atom 
often does result in a node G on which solve{C) can be mapped during code 
generation without loss of meta structure. This indicates that is perhaps too 
rash, splitting solve atoms when it is not necessary and suggests that the deci- 
sion for which atoms residual code will be generated, should be based on even 
more information, including information from the global level. This may require 
to (partially) redo some local unfoldings when more information gets available. 
However, this is a topic of further research. 

Uext and U^ as introduced in this paper are general rules, not requiring 
any information about what precisely is “meta” structure. The resulting partial 
deduction method nevertheless deals very well with V and is, to the best of our 
knowledge, the first fully automatic, non ad hoc method to do so. In further work, 
we will investigate its performance in other contexts, including the specialisation 
of other, more involved meta interpreters. 
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A Proofs 



We first introduce some notation: For any program P, we denote by Pp the lan- 
guage underlying P. If e denotes a program composition, consisting of programs 
Pi, , P„, then £e denotes the language of e, i.e. £e = -Cp^ U . . . U £p„ . 

The proof of Proposition Oand Corollary ^is straightforward, since pclause 
is non recursive. Moreover, Proposition Qand Corollary Oalso hold when using 
P+. 



Lemma 1. For any program P. Let A be an atom in Cp. Let C be a meta 
representation of a conjunction of atoms in Cp; C = {Ai, (A 2 , . . . , (A„_i, A„))). 
Then Lfext{^ solve{{A,C))) soZue((A, C)), <— solve{A),solve{C). 

Proof. solve{{A,C)) can be deterministicallyfl unfolded by using clause (2) of 
V, resulting in solve{A), solve{C). Since during this unfolding no instantiations 
are made in A nor C, solve{A) < solve{{A,C)) and solve{C) < solve{{A,C)) 
by Definition 0 Moreover, since only one unfolding was performed, the set 
{solve{A) , solve{C)} is the first set {pi, . . . ,p„} found such that Vj G {1 . . . n}: 
solvefpi) < solve{{A,C)). So, by Definition 0 

Uext{^ solve{{A,C))) solve{{A,C)), ^ solve(A), solve{C). □ 



The following two lemma’s imply that every atom in G{Vp, G) for a program 
P and goal G =<— solve{p{X)) with p a predicate in P, is of the form solve{A) 
with A an atom in £p. 



Lemma 2. For any program P, goalG, VGq G G{Vp,G): Lf Gq=^ solve{{A, C)) 
with A an atom in Cp and C an atom or a meta representation of a conjunc- 
tion of atoms in Cp, then, using and global control as defined in Section n 
^Ga G Anc(Go) such that Ga ^ solve{{A,C)), where Anc{Go) denotes the set 
of ancestors of Gq in G{Vp, G). 

Proof. Suppose there exist Go,Ga G G{Vp,G) with Ga G Anc(Go) and Gq =<— 
solve{{A,G)) such that Ga < solve{{A,C)). By Algorithm b.2l Uext{Go) = Gq. 
Since Go =<— solve{{A, C)) , this contradicts Lemma Q □ 



Lemma 3. For any program P, goal G =<— solve{p{X)) with p a predicate in 
P, let G{Vp,G) be the global tree built by Ip^ and the global control as defined 
in Section^ Then solveftrue) ^ G{Vp,G). 

Proof, solveftrue) is not the root of G(Vp,G) and since Pc will always unfold 
solve(true), it cannot occur in a local leaf, and therefore not in G{Vp, G). □ 

The following lemma states that if two atoms in some G{Vp,G) are gener- 
alised, the structure lost by the generalisation will not contain any meta struc- 
ture. 



7 



using a look-ahead. 
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Lemma 4 . For any program P, goal G, let G(Vp,G) be the global tree built by 
and the global eontrol as defined in Seetion\^ For any Go, G' G G(Vp, G): If 



Go < G' sueh that Gq is generalised to Ggen = rnsg^GojG'), then Gq = Ggen(^ 
where 9 is a substitution not containing any meta structure. 

Proof. From Corollary 0 Lemma’s 0 and Lemma m Go = solve{p{ti, . . .,tn)) 
with p{ti, . . . ,tn) an atom in Cp. Since Go < G', G' = solve{p{si, . . . , Sn)) 
with p(si, . . . , Sn) an atom in Cp. By the definition of msg, msg{Go,G') = 
solve{p{gi, . . . ,5n)), where Vt € { 1 . . .n}: gi = msg{ti, Si), where U and gi are 
terms in £p. From this, the result follows. □ 



From Lemma 0 the proof of Theoreml^is straightforward. 

Lemma 5 . For any Dg, atoms with clause or statement as predicate are always 
unfolded by C 7 <. 

Proof. Atoms with a statement predicate are always unfolded by C/<| since the 
definition of statement is non recursive, clause predicates are recursive, but the 
first argument of either clause or demo is fully instantiated and, as can be seen 
from the definition of D, never growing between successive clause or demo calls. 
It even always shrinks in size between successive clause calls. Therefore, in an 
SLD-tree, no atom clause{ei,t\) can have an ancestor clause{e2,t2) such that 

clause{e2,t2) <clause{ei,ti)- □ 



Corollary 2 . For any program composition e and goal G, G{Dg,G) contains 
only demo atoms if Q{Dg,G) is built using the techniques of Section\^and C 7 < 
(or [/+;. 



Lemma 6. Consider two atoms demo{ei,ti) > demo{e2,t2)' demo{ei,ti) ances- 
tor of demo{e2,t2) in G{De,G). If 
demo{ei,ti) <demo{e2,t2), then e\ = 62. 

Proof. Suppose ei 62; since ei < 62, 62 should be strictly greater than ei. But 
then, by the definition of D, demo{e2,t2) cannot descend from demo{ei,ti). □ 



Lemma 7 . For a program composition e and atoms t\, t2 in Cg'. 

msg{demo{e,ti), demo{e,t2}) = demote, msg (ti,t2))- 

Proof. Follows from the definition of msg. □ 

Proof of Theorem 

Proof. Since all atoms in G{Dg, demo{e, X)) have demo as predicate (Lemma 0 , 
all we must prove is that, when the new predicates are generated, the program 
composition is filtered away during code generation. The only reason why it 
would not be filtered away, is because of a generalisation. But by Lemmas 0 
and 0 VG S G{Dg,demo{e,X)), G = demo{e' ,t), e' will not be generalised. □ 
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Proof of Theorem 0 

Proof. Ifecontains no enc operation, \/GGQ{De,demo{e,p{X))), G=demo{e,t). 
Since every atom in Q(De, demo{e,p{X))) contains the same e, and since this e 
does not influence the generalisations made (see Lemmas El and |Z|), this first argu- 
ment from all nodes G can be deleted, and the building of G{De, demo{e,p{X))) 
can be seen as equivalent to the building of Q{Vp, solve{p{X))) for some program 
P, and the proof of Theorem |2| can be used. □ 

Proof of Theorem Q] 

Proof. First, we will prove termination of the algorithm: Since tjj^ (^) is a finite, 
possibly incomplete SLD-tree, it has a finite amount of leaves. Therefore, we 
only need to concentrate on one such leaf. For every branch /3 in an SLD-tree 
r, ending in a leaf L, extending this leaf, by repeatedly performing Uext, will 
result in the branch /3 being lengthened a number of times into [3' . The set 
of nodes {Go, . . . , G„} e (3' is defined as follows: Go = L, V* S (1 . . . n}: Gi = 
Leaf{Uext{Gi-i)), where Leaf{D) denotes the end point of the derivation D. No 
other branches are created in r since Uext only performs deterministic unfolding. 
Now, we will proof that (3' has a finite number of nodes. 

— Uext{A) creates a finite derivation A= Kq . . . Km, where Vf € (0 . . .m}, Ki 
denotes a goal in the derivation. This follows from using < in Definition 0. 

— Consider the nodes (Go . . . G„}. This set is finite. Otherwise 3i,j with i < j: 
s{Gi) < s{Gj). But, by Definitions, condition (*) and transitivity of <, 
s{Gj) < s{Gi), and we have a contradiction. 

The second part of Theorem S states that the result of the algorithm is an 
SLD-tree. By Definition 0 if Uext{A) = Go . . . Gm, then Gq . . . Gm is an SLD- 
derivation. The result now follows from Definitions and the construction in the 
Wi-algorithm. □ 

B Examples 

In this appendix, we show some examples from 0]. Without giving an in depth 
comparison of the method of i,0 with our automatic method, we do present 
the obtained results. 

Consider the following example, adapted from 0. The example consists of 3 
program modules: path, train and ic. 

statement (path, path(_Cl, _C2) , train(_Cl, _C2, _T)). 

statement (path, path(_Cl, _C2) , (train(_Cl, _C3, _T) , path(_C3, _C2))). 

statement (train, train(f lorence , pisa, reg) , true). 

statement (train, train(f lorence , rome, int) , true). 

statement (train, train(pisa, genova, nat) , true). 

statement (train, train(pisa, rome, nat), true). 

statement (train, train(milan, florence, int), true). 

statement (train, train(milan, pisa, nat), true). 

statement (ic , train(_X, _Y, int), true). 
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B.l Without an enc Operation 

Example 5. PD{De, demo{union{pr (path) , inter s{pr (train) , pr{ic))) , X 1)) , 
where e denotes union(pr (path), inter s(pr(train),pr(ic))). 

demo (union (pr (path) , inters (pr (train) ,pr(ic))),Xl) 
demo__l(Xl) . 

demo 1 (true) . 

demo__l(’ , ’ (X1,X2)) 
demo__l(Xl) , 
demo__l(X2) . 
demo__l(path(Xl,X2)) 
demo__2(Xl,X2) . 
demo__l(path(Xl,X2)) 
demo__3(Xl,X2) . 

demo 1 (train (florence , rome , int ) ) . 

demo 1 (train (milan, florence , int) ) . 

demo 2 (florence, rome) . 

demo 2(milan, florence) . 

demo 3(milan,rome) . 

Notice how demo_l performs top level parsing, which is unavoidable, since 
we started with an object goal that is unknown at specialisation time. Besides 
this top level parsing, all meta structure has vanished from the program. Notice 
how our automatic technique has performed some specialisation, unrelated to 
the handling of the program compositions, by precomputing all possible paths 
(demo_2 and demo_3). 

In order to avoid this top level parsing, let us partially deduce the same 
example, but now w.r.t. a top level predicate path(X,Y): 

PD(De, demo(union(pr(path) , inter s(pr (train) , pr(ic))) , path(X , F))): 

demo (union (pr (path) , inters (pr (train) ,pr (ic) ) ) .path (XI ,X2) ) : - 

demo__l(Xl,X2) . 

demo 1 (florence, rome) . 

demo Kmilan, florence) . 

demo__l(Xl,X2) 

demo__2(Xl,X3) , demo__l (X3,X2) . 

demo 2 (florence, rome) . 

demo 2(milan, florence) . 

Notice how the threat of generalisation causes to split 
demo(e, (train(X, Z),path(Z, Y))) 

into demo(e, trainlX, Z)) and demo(e,path(Z, K)), thereby loosing the informa- 
tion propagation.tlln order to avoid this generalisation, let us partially evaluate 
the same example, but now w.r.t. a new top level predicate p. 

® Using U<i instead of (7^ leads to generalisation and a program similar to the one 
containing top level parsing. 
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statement(path,p(X,Y) ,path(X,Y)) . 

PD{Dg, demo{union{pr (path) , inter s{pr (train) , pr{ic))) , p{X , y)))H 

demo (union (pr (path) , inters (pr (train) ,pr(ic))),p(Xl,X2)) 
demo__l(Xl,X2) . 

demo l(florence,rome) . 

demo l(milan,florence) . 

demo__l(Xl,X2) 

demo__2(Xl,X2) . 
demo 2(milan,rome) . 

For comparison, the method of ^ yields the following program: 

path(X,Y) :-train(X,Y,T) . 
path(X,Y) :-train(X,Z,T) , path(Z,Y) . 
train(f lorence , rome, int) . 
train(milan, florence, int). 

B.2 With an enc Operation 

Example 6. PD(De,demo(union(pr(path),enc(inters(pr(train),pr(ic)))),Xl)), 
where e denotes union(pr (path), enc(inters(pr (train), pr(ic)))): 

demo 1 (true) . 

demo__l(’ , ’ (X1.X2)) 
demo__l(Xl) , 
demo__l(X2) . 
demo__l(path(Xl,X2)) 
demo__2(Xl,X2,X3) . 
demo__l(path(Xl,X2)) 

demo__3(Xl,X3,X4,X2) . 
demo__l(’ , ’ (X1.X2)) 
demo__4(Xl) , 
demo__4(X2) . 

demo 1 (train (florence , rome , int ) ) . 

demo 1 (train (milan, florence , int) ) . 

demo 2 (florence, rome, int) . 

demo 2(milan,f lorence , int) . 

demo 3 (milan, florence , int ,rome) . 

demo 4 (true) . 

demo__4(’ , ’ (X1,X2)) 
demo__4(Xl) , 
demo__4(X2) . 

demo 4 (train (florence , rome , int ) ) . 

demo 4 (train (milan, florence , int) ) . 

In this example, surrounding the intersection between train and ic with an 
encapsulation operation does not change the obtained degree of specialisation: 

® After deterministic post-unfolding, a new demo__l (milan, rome) fact replaces the 
demo__2 predicate. 
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besides the necessary top level parsing, no meta structure is present: all manipu- 
lations concerning the program compositions have been specialised away, as well 
as all manipulations concerning parsing of the single object programs. Moreover, 
all possible paths have once again been precomputed during the specialisationE3 
Compare this result with the obtained result of the specific technique, as 
reported in 

demo (union (pr (path) , enc(inters (pr (train) ,pr(ic) ))) , X):- demo_0(X) . 
demo_0(_E, true) . 

demo_0(_E, (_H,_T) ) : -demo_0(_E, _H) ,demo_0(_E,_T) . 
demo_0(_E, _H) :-clause_0(_E, _H, _B) , demo_0(_E, _B) . 
clause_0(path(_Cl, _C2) , train(_Cl, _C2, _T)). 

clause_0(path(_Cl, _C2) , (train(_Cl, _C3,_T), path(_C3, _C2, _T))). 
clause_0(X, true):- demo_l(X). 
demo_l(_E, true). 

demo_l(_E, (_H,_T) ) : -demo_l (_E, _H) ,demo_l(_E,_T) . 
demo_l(_E, _H) : -clause_l (_E, _H, _B) , demo_l(_E, _B) . 
clause_l (train(f lorence , rome, int) , true). 
clause_l (train (milan, florence, int), true). 

This example illustrates well the fact that, using the technique of 
all overhead due to the handling of the program compositions has vanished, 
but none of the overhead due to the handling (interpretation) of single object 
programs has. 

B.3 Object Specialisation 

We conclude with an example showing that extra information in the object goal 
can be used to obtain specialisation of the object program: 

Example 1. PD(De,demo(union{pr{train),pr{path))^path{X^rome))), 
where e denotes union{pr(train),pr(path))\ 

demo (union (pr (path) , pr (train) ) , path (XI , rome) ) : - 

demo__l(Xl) . 

demo 1 (florence) . 

demo 1 (pisa) . 

demo__l(Xl) 

demo__2(Xl,X2) ,demo__l(X2) . 

demo 2(florence,pisa) . 

demo 2 (florence, rome) . 

demo 2(pisa,genova) . 

demo 2(pisa,rome) . 

demo 2(milan, florence) . 

demo 2(milan,pisa) . 

The duplication of the parsing clause demoC , ’ (A,B)) is due to some strange be- 
haviour of the enc composition operator: the goal demo(enc(e) , (A,B)) will unify 
with the second clause of D (and a derivation will be started for demo (enc (e) ,A) , 
demo (enc (e) ,B)) as well as with the third clause of D (starting a derivation for 
demo(e, (A,B)), such that the object atoms A and B are evaluated once more. Of 
course, this behaviour is reflected in the specialised program. 
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The same remark as in Example El can be made. Specialisation w.r.t. 
p(X,rome) yields (after deterministic post-unfolding and removing duplicate 
clauses): 

demo (union (pr (path) ,pr (train) ) ,p(Xl ,rome) ) : - 

demo__l(Xl) . 

demo l(florence) . 

demo 1 (pisa) . 

demo 1 (milan) . 
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